Insights on cybersecurity, privacy and data protection law

Europeans Express Positive Views on AI and Robotics: Report on Preliminary Results from Public Consultations

Posted in AI and Machine Learning, Big Data, European Union, Privacy
Carole Piovesan

On October 6, 2017, the European Parliament released its preliminary findings on its public consultation on robotics and artificial intelligence. The consultations resulted in 298 responses reflecting public perceptions about the risks and benefits of AI technology. According to the EU Committee website, the results of the consultation will inform the Parliament’s position on ethical, economic, legal, and social issues arising in the area of robotics and artificial intelligence for civil use.

Among the key findings were that there is strong support for a central EU regulatory body, in part to protect “EU values” (especially data protection, privacy and ethics) and to address  significant public concern regarding issues of data protection.


The European Parliament’s Committee on Legal Affairs set up a working group in 2015 with the aim of drawing up “European” civil law rules regarding robots and artificial intelligence. While the European Commission has the right to initiate laws, the Parliament is able to draft a motion for resolution, which if passed, can prompt the Commission to create a proposal for legislation.

The Parliament passed a resolution on February 16, 2017 titled “Civil Law Rules on Robotics”, asking the Commission to propose rules on robotics and artificial intelligence, in order to fully exploit their economic potential and to guarantee a standard level of safety and security.

The goal of the Parliament seemed to be to place the EU at the forefront of developing regulation for artificial intelligence and robots. Part of the reason for this was to ensure that human rights and ethical concerns are protected and that EU values (especially data protection, privacy and ethics) were paramount.

The Parliament proposed a Charter on Robotics, which is a code of ethical conduct for robotics engineers, research ethics committees, and a license for designers and users (annexed to the Resolution).

The resolution called on the European Commission to propose legislation on various topics including:

  • General principles concerning the development of robotics and artificial intelligence for civil use – for example by creating a classification system for robots (see para. 1);
  • Research and innovation guidelines (see paras. 6-9);
  • Ethical principles (see paras. 10-14);
  • Creating a “European Agency for Robotics and Artificial Intelligence” (see paras. 15-17);
  • Intellectual property rights and the flow of data (see paras. 18-21);
  • Standardization, safety and security – for example by harmonising technical standards (see paras. 22-23);
  • Autonomous means of transportation (see paras. 24-30);
  • Creating a specific legal status for robots in the long run, in order to establish who is liable if they cause damage;
  • Environmental impact (see paras. 47-48); and,
  • Liability related to robots[1] – for example, to clarify liability issues for self-driving cars (see paras. 49-59), and to create a mandatory insurance scheme and a supplementary fund to ensure that victims of accidents caused by driverless cars are compensated (see para. 57).

In May 2017, the European Commission published a preliminary response to some of Parliament’s recommendations. While the Commission agreed with many of Parliament’s suggestions, it has not made any proposals on the issues yet.

Overall in the Commission’s response, it agreed with the Parliament that there is a “need for legal certainty as to the allocation of liability” in the context of new technologies. To this end, the Commission “intends to work with the European Parliament and the Member States on an EU response.”

The Commission noted that it awaits the response of the Parliament’s public consultation, and that it will conduct its own public consultation and stakeholder dialogue on the issues.

Results of Public Consultation

The preliminary results of the Parliament’s public consultation were released on October 6, 2017. A PowerPoint summarizing the results is available here. The public consultations were open to all EU citizens and consisted of one general public survey and one survey targeted to a “specialized” audience. The trends emerging from the consultations showed:

  • the vast majority of respondents have positive views on robotics and AI developments but want careful management of the technology;
  • despite the positive attitude towards the technology, the majority of respondents are concerned about privacy interests and the possible threat of AI and robotics to humanity;
  • 90% of respondents support public regulation of robotics and AI with only 6% against regulation and 4% noted as “other”;
  • reasons given in support of public regulation include:
    • avoid abuse by industry;
    • need to address concerns about ethics, human rights, data protection and privacy;
    • need to set common standards for industry to have certainty; and,
    • consumer protection.
  • reasons given against public regulation include:
    • too soon to regulate emerging technology;
    • harms competitiveness;
    • hinders innovation and creativity; and,
    • general skepticism with regulation.
  • 96% of respondents agree that international regulation of AI and robotics is desirable as well;
  • the top four reasons in support of EU-wide regulation of AI and robotics are:
    • data protection;
    • values and principles;
    • liability rules; and,
    • EU competitiveness.
  • public opinion regarding sectors in urgent need of EU-wide regulation is almost equally shared between (a) autonomous vehicles; (b) medical robots; (c) care robots; (d) drones; and, (e) human repair and enhancement.

A summary report of the findings of the public consultation will be publicly available in due course.

Interestingly, European public opinion appears to be much more positive towards automation technologies than U.S. public opinion, based on the results of a recently-release report by the Pew Research Centre. The Center surveyed 4,135 U.S. adults between May 1 and 15, 2017, and found that “Americans generally express more worry than enthusiasm when asked about these automation technologies.” A summary of the report is available here.


[1] EP resolution 16 Feb 2017,Paras 49-59

McCarthy Tétrault Event: Big Data Seminar – October 18th, 2017

Posted in Big Data, Competition, Privacy

The second part of McCarthy Tétraults Transformative Technologies Series explores the asset that underpins many of today’s transformative technologies: big data.

This seminar will provide an overview of some of the pressing legal questions businesses are facing as big data takes centre stage. Businesses are increasingly harnessing big data in ways that drive innovation and quality improvements across a range of industries.

With Canada’s federal privacy legislation currently under review and the Competition Bureau’s release on September 18, 2017 of its consultation paper “Competition Bureau – Big data and Innovation”, data is not only a driver of innovation, it can also present legal and regulatory challenges – both to businesses and regulators.

Topics to be covered during this session are:

  • Privacy: How can companies be sure consumer consent is valid for big data applications, those in use, and those that won’t be known until sometime in the future? Does aggregation solve privacy problems? Does de-identification? How can businesses fulfil transparency and accountability obligations to customers when dealing with big data? How does a business working with a third party provider, (e.g. cloud services or data analytics provider), demonstrate a “comparable level of protection”? With an evolving global privacy landscape, (the General Data Protection Regulation (GDPR) comes into force in May 2018), what are the potential directions for Canada?
  • Competition: The growth of the digital economy means the rise of business models based on “Big Data”. The use of big data by companies for the development of products and services can generate substantial efficiency and productivity gains, (e.g. improving decision-making, refining consumer segmentation and targeting). However, the acquisition and use of Big Data can raise competition issues, including allegations of abuse of dominance and even criminal cartel activity. Competition and privacy issues associated with Big Data may appear to conflict, and are currently before the Federal Court of Appeal in the TREB case. Find out how competition laws impact – and are likely to impact in the future – companies’ Big Data activities.
  • Managing Data: To be useful, data must be processed. This means organizations must find data in their systems, (or from other sources), manage it appropriately, standardize it so it can be processed, refine it so it achieves the ends anticipated, monitor the outputs, and make decisions about what will and will not be shared and with whom. Organizations face challenges at each step along the way, and there are better, (and worse!), ways to approach them. Technical missteps can result in legal and regulatory issues.

Our speakers are :

  • Paul Johnson, T.D. MacDonald Chair in Industrial Economics from the Competition Bureau of Canada
  • Kirsten Thompson from McCarthy Tétrault 
  • Izabella Gabowicz, COO of Sensibill

We look forward to welcoming you!Interested in attending?  Please contact us at


Wednesday, October 18, 2017

11:30 a.m. (EST) – Registration and Lunch
12:00 p.m. (EST) – 1:30 p.m. (EST) – Seminar

Toronto Office and Online

*Note: For those participants who cannot join us in person, we are offering this program via webinar. If you are interested in this alternative, please select the appropriate option during the online registration process. All instructions and information on how to access the webinar will be forwarded a few days before the event.

This program qualifies for up to 1.5 hours of eligible educational activity or CPD/MCE credit under the mandatory education regimes in British Columbia, Ontario and Québec.

Drones, Trains and Automobiles: Clear(er) Skies Ahead for Drone Operators in Canada

Posted in UAVs
Shane Lamond

Drone operators are (almost) cleared for takeoff in urban centres again as Transport Canada proposes a new regulatory regime aiming to balance innovation with public safety and easy-to-follow rules with flexibility.

The new regulations – for which public comment is open until October 13 – adopt a risk-based approach to managing the use of unmanned aircraft systems based on the weight of the unmanned aircraft (UA), the operating environment, and the complexity of the operation.

Businesses currently using drone technology, and especially those in rural areas, will see increased predictability as ad hoc applications under the existing Special Flight Operations Certificate (SFOC) regime are replaced with Canada-wide standards. However, more adventurous and demanding applications, for example those using UAs heavier than 25kg or operating beyond visual line of site, will still require a SFOC.

The current regulations

Transport Canada has identified three issues associated with the rapidly growing UA industry and its current regulations: (1) the overarching safety issue; (2) lack of regulatory predictability; and (3) a significant administrative burden borne out of the application for and granting of SFOCs.

Current regulations distinguish between recreational and commercial purposes in defining whether and to what extent the government will require registration with Transport Canada (for drones between 1 – 25kgs used for work or research) or the possession of an SFOC (work or research UAs weighing more than 25kgs or recreational UAs weighing more than 35kgs). All operators are currently required to follow rules applicable to the weight class and operation environment of their UA, as well as obeying criminal and nuisance laws and observing air safety rules.

Combined with strict limitations on the physical proximity of UAs to vehicles, vessels and the public, existing regulations effectively prohibit the operation of UAs in urban areas and impose an onerous certification scheme on both commercial operators and the government.

The proposed regulations hope to strike the right balance between supporting innovation and increased use of drones whilst ensuring public safety.

What’s being proposed?

The proposed regime uses a risk-based approach to managing pilots and operators by dividing UAs into five classes. The distinctions are based on weight and operating environment and decidedly eschew a commercial or recreational distinction of use on the grounds that the risks posed are identical in both scenarios.

As a regulatory foundation, all UAs heavier than 250g will have a minimum age requirement for operators (as low as 14 years old), as well as mandatory possession of liability insurance and the satisfactory completion of a basic knowledge test. All operators will be required to label their devices with contact information. Transport Canada’s infographic illustrates the gradual application of more onerous demands on operators as both weight and proximity to built-up areas increases.

The most significant distinction lies in the requirement that UAs in urban environments (complex operations) will require a pilot permit specific to small drones, as well as having to meet design standards yet to be confirmed. In contrast, the same UA piloted in rural areas (limited operations) will face significantly less demanding rules, requiring only that the operator be at least 16 years old and have passed a basic knowledge test. Each class must also adhere to minimum operating distances from certain people, events, buildings and air spaces, depending on the operating environment.

For commercial operators in rural areas especially, the new regime will ensure an even application of standards nation-wide whilst those seeking to operate in urban areas will have to display the requisite level of skill and knowledge to operate within built-up areas with increased risk of damage to people and property. The movement away from SFOCs is a win for all operators otherwise subject to the administrative burden and application costs.

For UAs heavier than 25kg or that are operated beyond visual line of site and any other use that cannot comply with the proposed regulatory provisions (think competitive racing), an SFOC is still required.

How the new regime will improve outcomes

Despite the new regulations coming with a $61 million price tag to government and private users, Transport Canada considers it a net benefit given the reduced risk of manned aircraft accidents. By instituting a minimum age to operate UAs over 250g and by further requiring the completion of knowledge tests and licensing requirements commensurate with the level of risk, operators will at least conform to a basic standard of knowledge and skill.

Businesses will benefit from greater certainty, a fairer application of standards country wide and increased operability within urban areas. However, they will face increased operating costs in obtaining insurance coverage and it remains to be seen just how exacting the design requirements will be for UAs operating in urban environments.

Estonian Blockchain-Based ID Card Security Flaw Raises Issues About Identity

Posted in Cybersecurity, Data Breach, Identity
Kirsten ThompsonEriq Yu

On August 30, 2017, an international team of security researchers notified the Estonian government of a security vulnerability affecting the digital use of Estonian ID cards issued to around half of the Estonian population. Affecting 750,000 ID cards issued to a population of 1.3 million, the Estonian Information System Authority (RIA) has taken measures to restrict some of the ID card’s security features until a permanent solution is found.

While there appears to be no sign of unauthorized use (the vulnerability appears to have been a “theoretical” vulnerability) the discovery of the vulnerability comes as Estonia continues to advance its national “e-Estonia” initiative to bring its citizens into a digital ecosystem of public and private services built upon the security and authentication provided by the Estonian ID card.

Blockchain and Identity

The e-Estonia initiative is notable for its technological innovation that currently makes Estonia a preeminent use case of blockchain technology and public-key cryptography in the delivery of government services. However, as this event shows, cybersecurity and privacy considerations must remain at the forefront of centralized security and authentication, especially in the case of multi-use identification cards.

Since 2013, Estonian government registers have paired cryptographic ‘hash functions’ with distributed ledger technology, allowing the Estonian government to guarantee its various records.

The ID card unifies access to a host of services. Citizens can order prescriptions, vote, bank online, review school records, apply for state benefits, file their tax return, submit planning applications, upload their will, apply to serve in the armed forces, and fulfil around 3000 other functions. Businesses owners can use the ID card to file their annual reports, issue shareholder documents, apply for licenses, and so on. Government officials can use the ID card to encrypt documents, review and approve permits, contracts and applications, and submit information requests to law enforcement agencies.

Digital authentication is convenient and saves both time and money for government, business and public services. However, in order to function effectively, it is critical for the government to know its records are the right records, and that they have not been altered. The underlying technology in the Estonian ID card is blockchain, which records every piece of data with proof of time, identity and authenticity – providing a verifiable guarantee that data has not been tampered with.

This immutable ledger identity was thought to be highly secure, and even believed to be unbreakable. However, the reported vulnerability in this case is notable due to the increase in computing power in recent years. A few years ago, exploiting such a vulnerability would have been significantly more expensive and thus more unlikely than it was today.

Identity Cards and Identity In Canada

Canada does not have a national identity card; Canadians (and others with appropriate residency status) have a Social Insurance Number issued which is used for certain permitted purposes, but the card itself is not an identity document and were phased out in 2014, in part because of creep in the scope of use and the lack of security features on the card.

The Office of the Privacy Commissioner of Canada has opposed the use of a national identity card in Canada. The provinces have dabbled with various “enhanced” driver’s licenses and other types of cards, with various success, and varying levels of resistance.

British Columbia and Manitoba have both moved towards a multi-use identification card, with significant privacy implications for individuals and businesses. The provinces of Quebec, Manitoba, Ontario and British Columbia have negotiated a Memorandum of Understanding with Citizenship and Immigration Canada the Canada Border Services Agency to implement  their  provincial “enhanced driver’s license” programs. For example, Ontario’s “enhanced driver’s licence” serves as an identity document and permits travel between Canada and the United States of America when travelling by road or water. Currently, the programs are voluntary.

More recently, the Digital Identity and Authentication Council of Canada (DIACC) spearheaded the creation of a national digital identity ecosystem, the Pan-Canadian Trust Framework (PCTF),  which would enable digital identity and, by extension, facilitate trustworthy digital transactions. The trust framework would define and standardise processes and practices, and specify data protection policies that government agencies, banks, telecommunication companies, health care providers, and businesses agree to follow with regard to information assurance practices.

The PCTF is backed by a public-private consortium that includes the governments of Ontario, British Columbia, Saskatchewan, and New Brunswick, along with Canada’s leading banks, telecom companies, and universities. It has been reported that the digital identity supercluster bid was able to raise $185 million of private sector investment for use over five years in just four weeks. If selected to move on to the second phase of the initiative, it will need to raise $250 million, the target for matchable funds set by the federal government.

Integrated identity products save time, money and can lead to increased security on a transaction by transaction basis. However, the consistent concern has be that while standalone services with discrete databases naturally limit the information accessible to intruders in the wake of a data breach, a data incident involving a multi-use identification card that permits access to a host of services could result in wide-ranging damage. Governments and businesses alike are well-advised to maintain a cybersecurity incident response plan to limit data loss and organizational disruption. Integrated identity documents have the potential to create disruption both for the public issuers of such documents, but also for the businesses that rely on them. Businesses and governments embracing new technologies (or reviewing older technologies) should be aware of the need to “future-proof” their investments.

For more information, see McCarthy Tétrault’s Cybersecurity Risk Management – A Practical Guide for Businesses

Competition Bureau Releases Big Data White Paper for Public Comment

Posted in Big Data, Competition
Donald HoustonDominic TherienJonathan BitranKirsten Thompson

On September 18, 2017, the Competition Bureau (the “Bureau”) published a white paper for public consultation titled “Big data and Innovation: Implications for competition policy in Canada”. The white paper draws from the Bureau’s recent abuse of dominance investigations involving big data considerations, and also considers US and European developments in order to identify challenges raised by big data in the context of criminal cartels, mergers, and misleading advertising cases.

At the outset, the Bureau recognizes that competition enforcement needs to “strike a balance” that does not stifle innovation driven by the collection and use of data and legitimate competition. The Bureau considers that the existing legislative framework under the Competition Act (the “Act”) is largely effective in meeting the new challenges posed by big data. Nonetheless, given that the use of big data is new and developing at a fast pace, the white paper identifies challenges of analyzing big data cases under the Act.

Competition and Privacy

One question raised by competition investigations involving big data is the role of privacy and data security concerns. The Bureau indicates that while such considerations are relevant to a broader debate about big data, its mandate is limited to addressing conduct that harms competition. The white paper, however, does stress that when firms compete with respect to privacy safeguards or transparency in respect of how their data may be used, privacy represents a significant non-price dimension of competition. In mergers and abuse of dominance investigations, the Bureau may therefore consider whether a transaction or conduct has an adverse effect on consumer privacy as a non-price dimension of competition. The Bureau recognizes that anti-competitive effects on consumer privacy may be difficult to express, which raises challenges where the parties put forward an efficiencies defence thereby requiring the Bureau to quantify anti-competitive effects.

The misleading advertising provisions of the Act apply to representations made to the public to promote any business interest, even indirectly. The white paper indicates that the Bureau may review representations that mislead consumers with respect to the type of data collected, the purposes for which the data are collected, and how the data will be used, maintained and erased. The Bureau will assess whether consumers are provided with the information necessary to make informed choices about data collection.

Notably, the Bureau’s mandate in respect of data is broader than that of the Office of the Privacy Commissioner of Canada. The Privacy Commissioner is limited to matters of privacy – which deals only with personal information – whereas the Bureau can examine competition matters related to all types of data.

Big Data and Pricing Algorithms – Criminal Risk

The Bureau is mindful that competition enforcement should not chill innovative and procompetitive uses of big data. While the use of pricing algorithms to monitor and adjust pricing may lead competitors to unilaterally adopt similar or identical pricing or business practices, such “conscious parallelism” behaviour is not criminal under the Act. Although big data may lead to conscious parallelism and thereby soften competition, the Bureau indicates that mere conscious parallelism will not be subject to criminal investigation.

However, the Bureau may review parallel behaviour accompanied by practices that facilitate, or may be an indication of, an agreement between competitors. Such “facilitating practices” may be reviewed under the criminal cartel provisions of the Act, or the civil provisions prohibiting anti-competitive agreements between competitors. The Bureau believes that big data can lead to various activities that could constitute facilitating practices. For example, the white paper indicates that disclosing a pricing algorithm to competitors or disseminating pricing information using a digital platform in a concentrated industry could facilitate anticompetitive agreements. It is therefore important for firms to design and implement algorithms to minimize the risk of a potential criminal investigation.

The Bureau indicates that it will not hesitate to pursue big data related conduct where there is an underlying agreement between competitors to fix prices, allocate markets or restrict output. For example, competitors may agree to adopt the same pricing algorithms to maintain prices, or share inventory data to facilitate an agreement to restrict output.

Big Data in Mergers and Abuse of Dominance Cases

The white paper considers how big data can affect the Bureau’s usual analytical tools and remedies. Even where the Bureau anticipates that there could be challenges, it does not suggest the need for any significant departure from its current approach.

  • Market Definition: Big data is frequently used by businesses that offer multi-sided platforms (e.g., a social media network that is free for users, but that charges advertisers). The Bureau recognizes that the interaction between all sides of a platform needs to be considered when defining relevant markets. For certain cases involving big data or platforms in the digital economy, the Bureau may focus on direct evidence of competitive effects, rather than trying to define the relevant market as an initial step.
  • Market Power: Assessing market power in big data investigations may raise challenges. First, pricing on all sides of a platform may need to be considered when considering pricing as an indicator of market power. Additionally, due to the rapid pace of change and innovation associated with big data businesses, market shares may not be as indicative as they are for assessing traditional businesses. Access to and control over data may confer market power where such data is an essential input for rival firms to compete, or where network effects are present.
  • Purpose and Business Justifications: The Bureau will consider business justifications when a firm is preventing competitors from having access to data that is necessary for competitors to compete. To determine whether such foreclosure is anticompetitive conduct, rather than legitimate competition, the Bureau may use the “no economic sense” test from the TREB case and assess whether profits that are unrelated to the foreseeable anticompetitive effects of the conduct are greater than the costs incurred in pursuing the practice. The white paper only briefly mentions that intellectual property rights will be examined as part of big data investigations, and does not provide any new guidance.
  • Competitive Effects: Given that big data is often used in the production of goods and services, mergers and business practices involving big data may involve vertical competition issues. Big data may also create difficulties in prevention cases as this requires an understanding of the future use of the data. Algorithms and bots increase transparency in the market, and the Bureau will consider whether they facilitate coordinated effects. Assessing and predicting competitive effects in a context where dynamic competition is important raises inherent difficulties associated with the measurement and quantification of innovation.
  • Efficiencies: The Bureau predicts that dynamic efficiencies (i.e., efficiencies resulting from better product offerings and new production processes) may become more prominent due to the rapidly innovating marketplace.
  • Remedies: A unique feature of data is that it can be exploited by multiple users and thereby divested without depriving the seller of its use as well. The Bureau’s preference for structural rather than behavioural remedies remains, but it recognizes that big data could lead to novel remedies. For example, divested data could become stale over time, requiring divesting parties to periodically hand over updated data.


The white paper provides useful initial guidance on how the Bureau may apply the existing framework under the Act to various competition considerations related to big data and algorithms that have been examined so far. However, the big data era is still in its infancy, and the white paper leaves open many questions as to how the Bureau would analyze conduct in light of the big data challenges it identifies. It therefore remains to be seen how those competition issues will develop, and how the Bureau will respond. The white paper is open for comment until November 17, 2017.

Three Cybersecurity Trends Driving the Bank of Canada’s Call for Cybersecurity to be Treated as a ‘Public Good’

Posted in Cybersecurity, Financial
Justin Shoemaker

The June 2017 Financial System Review released by the Bank of Canada warns that Canada’s financial institutions have reached a point of interconnectedness that could allow a cyber-attack to rapidly transmit stress throughout Canada’s financial system, leading to prolonged service interruption, compromised data integrity or a loss of confidence in the financial system.

Such an attack would have knock-on effects for the real economy and the Bank of Canada warns that this risk should be treated as an ongoing structural vulnerability in the Canadian financial system. According to the Bank of Canada, cybersecurity should be treated as a public good, which the public sector has a role in coordinating.

The Bank of Canada’s warning has taken on new gravity in the face of  the Petya/NotPetya ransomware attack (which occurred in July) spread around the globe after wreaking havoc on banks, government ministries and common critical infrastructure in the Ukraine. Indications suggest the attack could be a malicious wiping tool operating under the guise of ransomware.

There are a number of big picture trends that underlie the Bank of Canada report, which calls for a veritable paradigm shift in how Canada’s financial institutions and the regulators that govern them approach cybersecurity. We summarize three such trends below:

1. Rapid Digital Innovation and Increased Reliance on Third Party Services is Driving Interconnectedness and Increasing Systemic Vulnerability

As the Bank of Canada observed in its 2014 report on the operational resilience of the financial system, the traditional first line of defence against cyber-attacks for financial institutions and financial market infrastructures such as payment clearing and settlement systems (“FMIs”) has been the protection of internal systems and investment in hardened devices and encryption.

However, as Canadian financial institutions have moved towards a platform-based development and service delivery model, third parties are increasingly connected to core systems and, in the case of certain cloud-hosted platforms, may even be hosting data on third party servers.

While these innovations have allowed financial institutions to tighten development cycles, rapidly release apps and better serve clients in new channels (such as mobile), with each connection it makes, a financial institution widens the ecosystem of interdependencies, parties and entry-points that are vulnerable to exploitation by attackers.

First reports about the Petya/NotPetya attack indicated that one of the initial vectors which allowed the malicious code to spread throughout institutions in the Ukraine was a widely-used tax accounting software which was compromised to deliver the malware (its developers have denied these reports).

As the 2016 attack on the Bangladesh Central Bank demonstrates, it is no longer enough for major financial institutions to rely on traditional tools to harden their own defences. All participants and critical infrastructure in a network must coordinate in their efforts to anticipate and defend against cyber-attacks. In the Bangladesh Central Bank attack, false SWIFT instructions were issued to the New York Federal Reserve in an attempt to cause it to execute over 30 transfers. While most were flagged as suspicious, a number were executed. One of the transfers, bound for Sri Lanka, was caught by local officials and a routing bank (due to a spelling error), but several others bound for the Philippines were successful.

These incidents demonstrate that our financial system will only be as secure as the weakest member of a growing ecosystem which includes third party service providers, consumers and employees.

 2. Cyber-attacks are Becoming Increasingly Sophisticated and Increasingly Prevalent while Costs to Defend Against Them Continue to Rise

As the Bank of Canada observesin its report, the frequency and sophistication of attacks have been growing and financial institutions represent prominent targets for attackers for a variety of reasons.

While the cybersecurity industry can develop solutions for particular exploits, attackers can re-use code, tools such as key-loggers and decrypters and credentials publicized in past attacks. Attackers have also shown the propensity to learn from their peers and recycle old methods from earlier attacks.

One example of this phenomenon is the reuse of the MS17-010, ‘EternalBlue’ exploit in the the Petya/nonPetya attacks. The EternalBlue exploit was previously employed by attackers in the WannaCry ransomware attacks. It is widely believed to have been based on a tool developed by the U.S. National Security Agency that was leaked online only and adopted by the cyber-attackers behind the attack (see this blogpost by Microsoft’s CLO). The purported Petya/nonPetya abuse of Windows Management Instrumentation to spread malicious code laterally throughout a network is a technique that also has a history in cyber-warfare and formed part of the Stuxnet attack on Iran’s nuclear fuel enrichment plant at Natanz.

The source of such exploits highlights that even if financial institutions are not facing-off against a state-sponsored actor directly, they will have to deal with others who are capable of leveraging the tools developed by state-sponsored actors. Financial institutions thus have to consider all types of attackers to have a common degree of sophistication regardless of their motives which can range from mischief, to theft of information, to financial gain, or even geopolitically motivated espionage.

There is even a growing marketplace for would-be attackers to purchase or rent the infrastructure and tools needed to carry out a cyber-attack at a cut-rate (consider the xDedic site, where it was reported some 70,000 compromised servers were available for sale—xDedic has since migrated to the dark web).

As the ease and sophistication of attacks increases, so too have the costs of defending against them, with Forbes reporting in 2016 that Bank of America would operate without a cap on its cybersecurity budget (In Bank of America’s case it had already spent some $400M in 2015) while others like J.P. Morgan Chase & Co. have doubled down on cyber-security budgets in the same period. The ballooning costs of traditional cybersecurity investments have even drawn the attention of artificial intelligence (“AI”) researchers who propose to use AI platforms to analyze threat intelligence, cyber-crime strategies and test for vulnerabilities in a particular ecosystem (the flip-side being, of course, that cyber-criminals will be just as likely to apply AI as part of their own offensive arsenal).

Given that, even with an unlimited budget, the most robust internal defences are unlikely to provide definitive security to a highly connected ecosystem where any entity in the ecosystem can act as an entry point for a contagion, the Bank of Canada’s view of cybersecurity as a public good is therefore not unfounded.

3.  Canadian Policymakers May Look to their U.S. Counterparts when it comes to Comprehensive Cybersecurity Regulation for Financial Institutions

While the Bank of Canada report does highlight the existence of a network of public and private sector partners who cooperate to share intelligence on cyber risks and threats, regulators in the U.S. have taken the collective goods logic of cybersecurity a step further and, in March of this year, the New York Department of Financial Services (“NYDFS”) adopted a series of comprehensive cybersecurity rules requiring covered companies to, among other things, develop a cybersecurity program and incidence response plan, continuously train their workers, conduct risk assessments, conduct access privilege reviews, designate a Chief Information Security Officer and mandatorily report breaches.

Earlier in the year, the U.S. Federal Deposit Insurance Corporation, the Federal Reserve Board and the Office of the Comptroller of the Currency concluded a comment period on an advance notice of proposed rulemaking in which the three entities considered whether or not to issue formal regulations governing cybersecurity.

Critically, the NYDFS regulations govern not only businesses supervised by the NYDFS, but also third party service providers and app providers. As discussed, a networked ecosystem is only as strong as its weakest link, which the NYDFS regulations appear to have taken into account.
This approach varies significantly from the Canadian approach, which can be characterized as a patchwork of cooperation, guidance and legal requirements issued and maintained by a variety of bodies. At a high level, Public Safety Canada is the department responsible for overseeing Canada’s cybersecurity strategy and operates the Public Safety Canada’s Canadian Cyber Incident Response Centre (“CCIRC”). Financial institutions participate in the CCRIC along with FMIs to share threat intelligence and best practices.

The Personal Information Protection and Electronic Documents Act (“PIPEDA”) operates as an overall umbrella governing personal information. Amendments to PIPEDA (not yet in force, although draft regulations have been circulated for comment) require organizations to keep auditable records of security breaches and introduced mandatory breach reporting. These amendments also allow the Privacy Commissioner to impose fines  of up to $100,000 per violation when an organization knowingly violates the breach notification requirements.

The Office of the Superintendent of Financial Institutions (“OSFI”) has guidance on cybersecurity (Guideline B-10: Outsourcing of Business Activities, Functions and Processes) which includes guidance relating to third party outsourcing.
The Bank of Canada also requires certain FMIs to perform cybersecurity self-assessments against a common standard and adopt a risk-based approach to managing cybersecurity risk.

Other entities such as the Canadian Securities Administrators (“CSA”), the Industry Regulatory Organization of Canada, the Mutual Fund Dealers Association of Canada have published guidance on cybersecurity and reporting. The CSA has published a number of staff notices which provide guidance to public companies on cybersecurity risk management and disclosure requirements (frequently by way of reference to other domestic and international guidance).

While all regulators involved appear to recognize the importance of safeguarding each and every member of the connected ecosystem which they govern, leaving members to self-police their internal practices (and those of their vendors) creates the potential for cost-benefit logic (or reliance on cybersecurity insurance) to dictate the level of diligence with which an entity carries out its obligations.

Concluding Thoughts

As the level and sophistication of cyber-attacks continue to grow, there will be a mounting pressure on regulators to continue to develop coordinated, meaningful, mandatory minimum standards that are enforceable against all financial institutions and FMIs as well as their service providers.

If cybersecurity is to be treated as a public good as advocated by the Bank of Canada, government will be expected to take a leading role in coordinating both mandatory and voluntary participation by industry in threat intelligence sharing initiatives, such CCIRC, as government agencies will be well-positioned to both alert industry to new risks and share the costs of developing cybersecurity tools to respond to nascent attacks.

Canadian Securities Administrators Weigh-in on the Applicability of Canadian Securities Laws to Cryptocurrencies, including Coins and Tokens

Posted in FinTech, Regulatory Compliance
Heidi GordonAna BadourShauvik ShahEtienne Ravilet GuzmanShane C. D'SouzaSean SadlerPatrick Boucher
On August 24, 2017, Staff of the Canadian Security Administrators (the “CSA”) released CSA Staff Notice 46-307 Cryptocurrency Offerings (the “CSA Notice”), published in all Canadian jurisdictions except Saskatchewan.[1]
The CSA Notice addresses a number of considerations of relevance to Fintechs, investors and their advisors, including the potential applicability of Canadian securities laws to initial coin offerings (“ICOs”) and initial token offerings (“ITOs”), cryptocurrency exchanges and cryptocurrency investment funds. It follows a press release issued by the Ontario Securities Commission earlier this year confirming that Ontario securities laws may apply to any use of distributed ledger technologies (“DLTs”), such as blockchain, as part of financial products or service offerings. Our commentary on that press release is here.The effect of the CSA Notice is to confirm the potential applicability of Canadian securities laws to cryptocurrencies and related trading and marketplace operations and to provide market participants with guidance on analyzing these requirements.Status as a “Security” and Prospectus RequirementThe CSA Notice clarifies that regardless of whether the instrument distributed is referred to as a coin/token instead of a share, stock or equity, that instrument may still be a “security” under Canadian securities laws. The key takeaways from this clarification are:

  • The existing definitions to establish whether an instrument is a “security” also apply to coins/tokens generated from an ICO/ITO. A security includes an “investment contract”. In determining whether a coin/token is an investment contract, a four-prong test should be applied, being does the coin/token involve: (i) an investment of money (ii) in a common enterprise (iii) with the expectation of profit (iv) to come significantly from the efforts of others. Advertisement of a coin or token as a software product is not relevant in determining whether a coin or token constitutes a “security”.
  • The “investment contract” test looks at the economic realities of the circumstances and provides a very broad and flexible means of capturing new and innovative arrangements — such as ICOs/ITOs — that do not fit within other definitions of a “security”.
  • Generally, “securities” offered to the public in Canada must be offered with a prospectus, which provides details of the venture and the securities being offered and is filed with the relevant securities commissions. However, there are prospectus exemptions that allow an issuer to offer securities on a private placement basis without a prospectus. “Securities” that are coins/tokens are no different. An ICO/ITO of a coin/token that constitutes a “security” requires either the filing of a prospectus, or the use of an applicable prospectus exemption. For example, coins/tokens that meet the definition of securities could be distributed to accredited investors in reliance upon the accredited investor exemption, or could be distributed to retail investors in reliance upon the offering memorandum exemption, without the need to file a prospectus. Whitepapers are not prospectuses and do not fulfill the disclosure requirements applicable under Canadian securities laws. To date, no business has used a prospectus to complete an ICO/ITO in Canada; however, coins/tokens have been distributed in Canada on a prospectus exempt basis.

Cryptocurrency Exchanges

As mentioned in the CSA Notice, a number of jurisdictions have also been developing regulation applicable to cryptocurrency marketplaces or exchanges in other areas, particularly with respect to anti-money laundering, recordkeeping, counter-terrorist financing and identity verification requirements. Canada is no exception in this regard, having amended the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (Canada) in 2014 to include within the scope of money services businesses “dealers in virtual currencies” (these changes are not yet in force pending the publication of related regulations).  In addition, in Quebec, the Autorité des marchés financiers requires such exchanges and virtual currency ATMs to be licensed as money services businesses.

While no cryptocurrency marketplaces or exchanges have registered with securities regulators in Canada to date, CSA Staff emphasizes the need for cryptocurrency exchanges to determine whether the cryptocurrencies that they offer are “securities” and, if so, to register as a marketplace or get an exemption from registration.

Dealer Registration Requirement

The CSA Notice also addresses the following with respect to dealer registration or registration exemption and marketplace requirements:

  • Businesses that undertake an ICO/TO for a business purpose may be required to register as a dealer or get an exemption from registration. Factors to consider include whether a security is involved, a broad base of investors is being solicited, whether a considerable amount of capital is being raised from a large number of investors, the use of public forums (i.e., the internet) and participation in public events to market the sale of coins/tokens. Any businesses that meet the business purpose must fulfill know-your-client and suitability requirements and other on-going registrant obligations.
  • Platforms used for trading coins/tokens that are securities may constitute a marketplace and therefore must comply with marketplace requirements or otherwise seek an exemption from such requirements.
  • Any platform used for offering coins/tokens that constitute securities must have policies and procedures, including in respect of cybersecurity matters, in place.

Cryptocurrency Investment Funds

The CSA Notice also outlines several factors relevant to the operation of cryptocurrency investment funds. As with other funds, a cryptocurrency investment fund should register in the category applicable to it as an investment fund manager and/or adviser, or dealer. The fund should consider how the valuation method of the cryptocurrencies and securities included in the fund’s portfolio will take place, whether this method will be assessed in an independent audit and how the exchange of cryptocurrency will take place. Any exchange used to purchase or sell cryptocurrencies will have to be subject to due diligence by the fund. Moreover, where retail investors invest in the fund, some jurisdictions in Canada will not accept an offering on an exempt basis in reliance upon the offering memorandum prospectus exemption, and instead will require compliance with the prospectus requirement, investment suitability and investment fund regulations. Finally, any custodian that holds the portfolio assets of a cryptocurrency investment fund must have cryptocurrency-related expertise.

Beyond Canada

Canada is not the only jurisdiction grappling with this issue. Recently, both the Securities Exchange Commission (“SEC”) in the United States and the Monetary Authority of Singapore (“MAS”) have issued guidance addressing the applicability of securities laws to cryptocurrencies.

On July 25, 2017, the SEC issued an investigative report reminding stakeholders considering using decentralized autonomous organizations or other DLTs to raise capital to take appropriate steps to ensure compliance with U.S. federal securities laws. Like Canada, in the United States, all securities offered and sold must be registered with the SEC or must qualify for a registration exemption. To drive this point home, the SEC analyzed the distribution of tokens in 2016 by “The DAO”, an unincorporated virtual organization on the Ethereum blockchain, and concluded that: (a) DAO tokens were unregistered securities; (b) The DAO was an unregistered issuer; and (c) platforms allowing DAO tokens to trade “appear” to be unregistered exchanges. Along the way, the SEC noted that:

  • The automation of certain functions through DLT, “smart contracts,” or computer code, does not remove conduct from the purview of U.S. federal securities laws.
  • Cash is not the only form of contribution or investment that will create an investment contract. Any contribution of value, such as goods and services, may be considered an investment.
  • The marketing efforts of those involved in designing, promoting, distributing and managing the ICOs/ITOs and resulting enterprise will be considered, including their involvement in control and decision-making after the ICO/ITO.
  • To prove that investors do not rely on the managerial efforts of others, voting rights given to token holders must allow them to meaningfully control the enterprise.
  • Pseudo-anonymity and the wide dispersion of tokenholders may make it difficult for them to argue that they can meaningfully control the enterprise and do not rely on the managerial efforts of others.

The SEC elected to not pursue an enforcement action against The DAO, its co-founders and intermediaries involved in the distributed of DAO tokens.

The CSA Notice is reflective of the increasing scrutiny paid by CSA Staff to the regulation of Fintechs, and can be expected to inform the approach taken by Canadian securities regulators when considering requests for exemptive relief from Canadian securities law requirements and other issues, whether as part of the CSA Regulatory Sandbox initiative or otherwise.

Any Fintech businesses seeking to enter the cryptocurrency space in Canada should consult with counsel and be prepared to engage in detailed interaction with securities regulatory authorities.

For more information about our firm’s Fintech expertise, please see our Fintech group‘s page.


[1]      The Financial and Consumer Affairs Authority of Saskatchewan will advise of its approach in this matter after the provincial by-election in Saskatchewan on September 7, 2017.


Privacy Commissioner’s Report on Public Perception of Companies’ Privacy Practices Holds Lessons for Business

Posted in Privacy
Ljiljana Stanic

The Office of the Privacy Commissioner of Canada (“OPC”) recently released a preliminary report outlining the results of a series of focus groups conducted with Canadians about privacy and the protection of personal information.[1] Predictably, participants in the focus groups (which represented a small and restricted sample of Canadians) were concerned by the collection and protection of their information by private companies.

It is likely that the OPC will highlight these results in its upcoming comprehensive report on privacy and consent in September 2017, part of the ongoing review of the Personal Information Protection and Electronic Documents Act (“PIPEDA”),[2] as justification for the expansion of government oversight and enforcement powers in relation to the protection of customer privacy interests. Review of the data however, indicates that, at least among the relatively small sample canvassed as part of the focus groups, participants saw an independent role for Canadian companies in the protection of their data, apart from compliance with government regulations.

Study overview

This particular series of focus groups collected qualitative data with respect to the sharing of personal information with and by private companies. In total, 64 individuals in four Canadian cities participated in the focus groups conducted over three days by Phoenix SPI on behalf of the OPC.

All participants acknowledged that it was common to be asked to provide personal information when interacting or conducting transactions with Canadian companies, especially when those interactions or transactions took place online. Although there was widespread acknowledgement that these companies had legitimate reasons to collect this information, there was also a common feeling that, as customers, they had no choice but to give their consent to the provision of this information and that they had little or no control over what happened to that information once provided.

The study participants identified three broad areas of concern with respect to what they perceived to be the high volume of personal information that is collected by Canadian companies:

  1. The level of security of that information and the potential for hacking and consequent fraudulent use (e.g. identity theft);
  2. The sharing or sale of information with third parties, for whatever purpose; and
  3. A lack of understanding about companies’ privacy policies and practices and the consequences for companies if those policies are violated.

The report indicates a general feeling among the participants that the current system is skewed in favour of companies at the expense of the customer. Specifically, it was seen that most privacy policies are overly long and complex while remaining vague and unclear, with the result that customers consented to them without a proper understanding of their terms. That said, participants generally believed that corporate privacy policies, whatever their specific terms, operated to protect companies in their use of customer information, rather than the customers themselves.

Study participants also exhibited an overall level of skepticism about the type and quantity of information collected. For example, while participants made the obvious connection between the need to collect credit card information and pay for a good or service, they were less confident that demographic information such as age, gender, or level of education would be put to use other than for targeted advertising, junk e-mail, or sharing with other vendors. Few linked the collection of personal information to the potential for more personalized products or improved customer service. Consequently, some of the respondents stated that they avoided online transactions altogether or where possible withheld or provided false information.

Customers are, perhaps unsurprisingly, more willing to provide personal information to companies with whom they already have a relationship and whom they perceive as established and trustworthy. In this connection it is worth noting that there was a lower level of trust associated with smaller companies and those who ‘cold-called’ customers.

Opportunities for Canadian Companies

Given the perceived power imbalance in their relationship with companies, study participants expressed some support for further government involvement in the regulation of policies and practices with respect to the collection, storage, and sharing of personal information. These include

  • Government-imposed standardized policies written in plain language including “opt-out” provisions for different types of or uses for personal information;
  • Increased government regulation governing the collection, sharing, and security of personal information, including proactive audits of companies’ privacy practices and the imposition of penalties on violators (such as fines or public ‘naming’ of companies failing to meet standards);
  • A public information campaign with respect to privacy and the consent to sharing of personal information, including a public registry of companies that have experienced breaches in information security or have been found to violate privacy laws or policies.

Next Steps and Lessons for Business

As noted above, the OPC plans to release a comprehensive report on privacy and consent in September 2017 and it is not clear at this point what influence this particular study will have in that final report. Given the profile this study has been afforded by the OPC, notwithstanding its restricted scope and scale, it is likely to be used to support an argument for the grant of further powers to the OPC.

It this context, it is easy to overlook the ways in which study participants saw a independent role for companies, independent of government, in the protection of privacy. Canadian companies have a number of opportunities to anticipate the OPC and improve their privacy practices, while reassuring and improving relationships with customers . In particular, as suggested by the feedback by the study participants, Canadian companies should consider:

  • Informing customers how the collection of data can improve their experiences, such as through the provision of personalized results, recommendation, and customer service, rather than merely serve marketing goals;
  • Stating explicitly and in clear language how the information customers provide will be used by the company and under what conditions it will be retained, shared, and destroyed;
  • Revamping their current policies and practices to ensure that they are written in language that is as clear and customer-friendly as possible and providing, where appropriate, plain-language or bullet-point summaries of the policy;
  • Where appropriate, allowing customers to opt-out of providing specific information;
  • Exercising due diligence in verifying that customers have read and understood the terms of their privacy and personal information policies; and
  • Specifying the steps the company will take and/or the recourse available to the customer should personal information be compromised, or otherwise used or shared without consent.



Paving the Way for RegTech: Australian and Canadian Developments

Posted in FinTech
Jason PhelanAna BadourDrew Wong

Recently, the Australian Securities and Investments Commission (ASIC), which regulates financial services and markets in Australia, provided recommendations and engaged in consultation on establishing best practices and guiding principles for the regulatory technology (RegTech) eco-system in Australia.

As discussed in our previous post in respect of UK developments in the area, “RegTech” can be understood as describing new technologies that facilitate the delivery of regulatory requirements. This demand has been driven by increasing levels of regulations and reporting requirements, which places operational challenges and new risks on the financial services sector. RegTech has the potential to complement financial services providers with streamlined compliance procedures in a cost-effective manner, which could also allow regulators to get access to and process a larger amount of data.

Generally, RegTech services help to declutter, analyze, and provide reports on large, intertwined, and complicated data sets to facilitate  access in a more consumable format. For example, RegTech applications include services to reduce the risk of money laundering activities conducted online, monitoring of online transactions in the digital payment eco-system, fraud prevention and audit trail capabilities.

ASIC Innovation Hub and Request for Feedback

In May 2017, ASIC published a report providing an update on the work of its Innovation Hub and outlining its approach to Fintech, RegTech and related areas. It also sought feedback from different stakeholders with respect to its proposed approach to RegTech.

In March 2015, ASIC established the Innovation Hub, which serves as a body and forum to assist new Fintech businesses navigate through ASIC’s regulatory framework. To date, the Innovation Hub has worked with 168 entities, notably providing them with informal assistance to help bridge any knowledge or resourcing gaps and providing them with access to senior ASIC staff to help streamline processes. Of the 33 new Australian financial services licenses and Australian credit licenses granted since March 2015, the businesses that who have engaged with the Innovation Hub received approval substantially faster than those who have not.

In mid-2016 the Innovation Hub expanded its scope and began to engage with RegTech businesses by providing them with informal assistance. ASIC met with a number of RegTech stakeholders and service providers to get a better sense of their business model and of the RegTech eco-system, as well as with domestic and international regulators to discuss developments in the area. ASIC currently conducts sets of trials of RegTech, including machine learning applications assessing document sets to identify useful evidence and social media monitoring tools.

In its report, ASIC described its new initiatives to complement its current RegTech activities, including the establishment of a liaison group composed of RegTech stakeholders who will meet three times a year to facilitate networking and collaboration opportunities within the RegTech sector, the hosting of a problem-solving event (“hackathon”) with the industry and a commitment to a small number of new trials of RegTechs. ASIC sought feedback from those new initiatives.

ASIC’s RegTech Roundtable 2017

As part of its current commitment to engage with the RegTech community, ASIC hosted its first RegTech roundtable discussion in February 2017 to discuss with a number of entities from across Australia, while regulators and government officials observed. The discussion focused on the current RegTech landscape and its future development, and on the commercial, regulatory and practical barriers to future potential of RegTech in Australia.

The emerging themes during the roundtable included:

  1. Current RegTech environment and emerging technologies – factors such as computer capacity, storage, data use, new technological applications, and the industry sentiment of focusing on efficiency, while maintaining a conduct risk management focus, as well as the opportunities offered by big data and machine learning, are contributing to driving the opportunities and growth in the RegTech market.
  2. Importance of real time monitoring – near real time monitoring of conduct by financial services providers has the potential to change the role of regulators’ from a “rear view mirror” approach to compliance to one focused on learning and prediction, which would save costs and facilitate more streamlined compliance, while having the potential to create a shift within organisations relying on proprietary systems towards an effective compliance culture.
  3. Cyber and information security – questions were raised with respect to the ownership of the data generated by RegTech services, access to such data, cyber security and protection of digital identity.
  4. Lack of human involvement – a potential risk could be formed from replacing the normally human involved process of ensuring compliance with a heavily relied upon process based on an automated system, while potentially creating disruption within organisations as RegTech will inevitably means changes for staff which could see such technology as a threat.

Beyond the themes and risks discussed, ASIC asserted that it sought to continuously engage and receive feedback from those affected by RegTech. ASIC’S intention appears to align the RegTech industry with current compliance systems to streamline and integrate RegTech to better facilitate upholding regulations and ensuring the existing industry is trained and adapts seamlessly.

Canadian Approach to RegTech

The Ontario Securities Commission (OSC) and ASIC previously entered into an agreement, pursuant to which, among other things, they committed to share information on emerging trends in each other’s markets and the potential impact on regulation.  The OSC has also shown its own interest in RegTech developments.  In November 2016, the OSC held its own hackathon bringing together members of the Fintech community to find solutions to regulatory problems arising in the area of RegTech. This hackathon brought in over 120 members of the Fintech community to facilitate discussion and produced a white paper with input from the Fintech and RegTech community.

More generally, in Canada, as discussed in a previous post, the Canadian Securities Administrators (CSA) announced earlier this year the launch of a regulatory sandbox, allowing Fintech businesses to apply with the CSA to receive regulatory relief to test their products and services. RegTech providers are specifically listed as one of the types of business models that is eligible to apply to the CSA regulatory sandbox.

For more information about our Firm’s Fintech expertise, please see our Fintech group’s page.

Department of Finance Releases Consultation Paper on New Retail Payments Oversight Framework Providing for Functional Regulation of Payment Service Providers

Posted in FinTech, Payments, Privacy
Ana BadourKirsten Thompson

On July 7, 2017, the Department of Finance issued the consultation paper “A New Retail Payments Oversight Framework” (the “Consultation Paper”) proposing a federal oversight framework for retail payments. Comments on the Consultation Paper are due October 6, 2017.

Summary of Proposed Oversight Framework

The Consultation Paper is discussed in more detail below, but the key elements are:

  • Broad Scope: The oversight framework would apply to any payment service providers (“PSP”) that perform any listed core functions and would capture credit card transactions, online payments, pay deposits, debit transactions, pre-authorized payments, and peer-to-peer money transfers.
  • Registration Requirement: All PSPs would be required to register with a “designated federal retail payments regulator”.
  • End-User Fund Safeguarding Measures: All PSPs that hold end-user funds overnight or longer would be required to meet certain requirements, including placing them in a trust account, and certain record-keeping requirements.
  • Operational Standards: All PSPs would be required to comply with a set of principles related to establishing security and operational objectives and policies and business continuity planning.
  • Disclosure Requirements: All PSPs would be required to provide end users with certain information, including information on the key characteristics of their service or product, the responsibilities of customers and PSPs, terms and conditions, the end user’s account history of payment transactions, and receipts for transactions.
  • Third-Party Dispute Resolution: An external complaint body would be designated for customers to elevate complaints not resolved through PSPs’ internal complaint handling processes, and PSPs would need to advertise their complaint-handling processes.
  • Liability for Unauthorized Transactions: The payment-authorizing PSP would have to refund the payor for losses resulting from unauthorized transactions or errors, unless the payor acted fraudulently or failed to fulfil certain obligations.
  • Increased Emphasis on Privacy: The regulator for the oversight framework would promote awareness of, and compliance with privacy laws, including by directing PSPs, at the point of registration, to relevant guidance from privacy regulators.

The oversight framework is proposed to be principles-based, with tiering of measures (such that, for example, smaller firms may be subject to less stringent requirements), and a recognition of equivalent requirements under other legislative frameworks.

In addition, the Consultation Paper proposes the establishment of an advisory service for small firms that could guide and assist qualified PSPs in understanding the framework requirements based on their specific business models.


Details of Proposed Oversight Framework

  1. Scope of Retail Payments Oversight Framework

The Consultation Paper proposes a functional approach to regulation of retail payments in Canada, which would apply to any PSP that performs any of the following five core functions in the context of an electronic fund transfer ordered by an end user:

  • Providing and maintaining payment accounts for the purpose of making electronic fund transfers;
  • Enabling the initiation of a payment at the request of an end user;
  • Authorizing and transmitting payment messages;
  • Holding of funds; or
  • Fund clearing and settlement.

The Consultation Paper provides examples of PSP functions: credit card transactions, online payments, pay deposits, debit transactions, pre-authorized payments, and peer-to-peer money transfers. Certain types of transactions are specifically excluded:

  • Transactions entirely made in cash;
  • Transactions conducted via an agent authorized to negotiate or conclude the sale or purchase of goods or services on behalf of the payer or the payee, where the funds held by the agent on behalf of the payer or payee are kept in a trust (e.g., real estate agent or lawyer);
  • Transactions made with instruments that allow the holder to acquire goods or services only at the premises of the issuing merchant (e.g., store cards) or within a limited network of merchants that have a commercial agreement with an issuer (e.g., shopping mall cards);
  • Transactions related to securities asset servicing (e.g., dividends distribution, redemption or sale) and derivatives;
  • Transactions at ATMs for the purpose of cash withdrawals and cash deposits;
  • Transactions between entities of the same corporate group, if no intermediary outside of the corporate group is involved in the transaction; and
  • The clearing and settlement of transactions made through systems designated under the Payment Clearing and Settlement Act.

Furthermore, the Consultation Paper states that the proposed retail payments oversight framework is to be limited to transactions that are carried out solely in fiat currencies, and not virtual currencies given their current limited use. The Government indicated that it will continue to monitor the use of virtual currencies in retail payments and may propose adjustments to the framework as needed.

Many types of Fintech entities in the payment space, particularly those offering e-wallets, prepaid cards and/or peer to peer payments, as well as more traditional payment entities such as merchant acquirers, would appear to fall within the scope of the proposed framework. In addition, entities that are already otherwise regulated, such as banks, credit unions, trust companies and money services businesses may also be PSPs.

In addition, although the Consultation Paper refers to “retail” payments oversight, the currently proposed scope of the framework contemplates more than what would be considered to be consumer transactions.

  1. Proposed Requirements

a. Registration – The Consultation Paper proposes a requirement that all PSPs register with the “designated federal retail payments regulator” (see “Regulatory Authority” section below) either when the oversight framework comes into effect or in the case of a new PSP, prior to launch. The Consultation Paper provides a list of information required to register in Appendix B, including the type of services and payment functions provided, the volume and value of transactions processed in Canada and globally in the last year (or expected to be processed in the upcoming year for a new PSP), the average amount of consumer funds held where the PSP is not a deposit-taking financial institution, the trust account where consumer funds are held, and the total assets value of the PSP. In addition, the PSP’s owners and directors would need to undergo a criminal record check. Furthermore, if Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) determines or has determined that a PSP has committed a “very serious” violation of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act or, in the case of a money remitter, the PSP has not registered with FINTRAC, the PSP’s registration would be denied or revoked.

b. End-user fund safeguarding – The Consultation Paper proposes that PSPs that place end-user funds held overnight or longer in a trust account be required to meet the following requirements:

  • The account must be at a deposit-taking financial institution that is either a member of the Canada Deposit Insurance Corporation or covered under a provincial deposit insurance regime;
  • The account must be in the name of the PSP;
  • The account must be clearly identified as the PSP’s trust account on the records of the PSP and the financial institution;
  • The account may only be used to hold end-user funds;
  • The PSP must ensure that the financial institution does not withdraw funds from the account without the PSP’s authorization (e.g., service fees incurred by the PSP must be paid from the PSP’s general account); and
  • The assets held in the account must be cash held on deposit or highly secure financial assets that can be readily converted into cash.

PSPs would also be required to maintain detailed accounting records that would allow for the accurate identification of funds held in trust and the beneficiaries, and to report on their trust accounts in their annual filings to its designated regulator.

c. Operational standards – The Consultation Paper proposes that PSPs be required to comply with a set of principles related to establishing security and operational objectives and policies and business continuity planning:

  • A PSP should establish a robust operational risk-management framework with appropriate systems, policies, procedures and controls to identify, monitor and manage operational risks.
  • A PSP’s management should clearly define the roles and responsibilities for addressing operational risk and should endorse the PSP’s operational risk-management framework. Systems, operational policies, procedures and controls should be reviewed, audited and tested periodically and after significant changes.
  • A PSP should have clearly defined operational reliability objectives and should have policies in place that are designed to achieve those objectives.
  • A PSP system should have comprehensive physical and information security policies that address all major potential vulnerabilities and threats.
  • A PSP should have a business continuity plan that addresses events posing a significant risk of disrupting operations. The plan should be designed to protect end users’ information and payment data and to enable recovery of accurate data following an incident. The plan should also seek to mitigate the impact on end users following a disruption by having a plan to return to normal operations.
  • A PSP should identify, monitor, and manage the risks that end users, participants, other PSPs, and service and utility providers might pose to its operations. In addition, a PSP should identify, monitor, and manage the risks that its operations might pose to others.Operational system testing may be conducted through self-assessment for small firms or through third-party verification for larger firms.

d. Disclosure requirements – The Consultation Paper proposes that PSPs be required to provide end users with information on the key characteristics of the service or product (such as charges and fees, functions, limitations, security guidelines), customers’ responsibilities, the PSP’s responsibilities, terms and conditions, the end user’s history of payment transactions on an account and receipts for transactions.

Disclosures have to meet the following principles:

  • Information must contain adequate andrelevant content;
  • Information must be provided in a timely manner;
  • Information must be presented in language that is clear,simple and not-misleading; and,
  • Information must be easily accessible.

PSPs would also be required to provide a separate, concise summary containing key information related to a payment service on the cover page of the terms and conditions regarding the use of the service. Annex A to the Consultation Paper provides further detail on proposed disclosure requirements.

e. Dispute resolution – The Consultation Paper proposes that a designated external complaint body (ECB) be designated for PSPs to receive complaints that fail to be resolved through a PSP’s internal complaint handling process. PSPs would also be required to:

  • Advertise their complaint handling procedures and the possibility for customers to refer cases to the designated ECB;
  • Provide the ECB with all the information it may need in resolving the dispute; and
  • Participate in the dispute resolution process (e.g., participate in conciliation sessions and ECB consultations).

f. Liability for unauthorized transactions – The Consultation Paper proposes that payors not be held liable for losses for unauthorized transactions or errors unless they acted fraudulently or failed to fulfil certain obligations, and that the payment-authorizing PSP would have to refund the payor for losses resulting from unauthorized transactions or errors. Cases where the payor could be held liable include where (i) the payor has not taken reasonable care to protect the security of the payor’s passwords; (ii) the payor has not notified the PSP, without undue delay, that a payment instrument has been lost or stolen, or that a password has been breached; and (iii) the payor has entered the payee information incorrectly such that it was impossible for the PSP to transmit the funds to the right payee. Under these scenarios, the PSP would have to make reasonable efforts to recover the funds.

g. Privacy – The Consultation Paper notes that technological innovation has given PSPs the ability to collect and store many different types of personal and sensitive information and states that “weak protection of personal information by PSPs is a type of market conduct risk that may lead to a series of undesirable consequences for end users, such as financial or reputational harm due to data breaches”.

While the federal privacy legislation (PIPEDA) applies to all Canadian businesses in all sectors of the economy, including retail payments, the Consultation Paper states that “some PSPs may not be familiar with their responsibilities under PIPEDA or applicable provincial privacy legislation”.

The Consultation Paper proposes that the regulator for the oversight framework promote awareness of, and compliance with, PIPEDA and similar provincial legislation, including by directing PSPs, at the point of registration, to relevant, existing information published by the Office of the Privacy Commissioner or other provincial regulators regarding compliance with privacy-related obligations.

  1. Guiding Principles

The Consultation Paper states that “the proposed oversight framework would encourage innovation and competition” and aim to apply measures commensurate to the level of risk posed by each PSP.

To achieve these goals, the oversight framework is proposed to be built around the following guiding principles:

  • Principles-based requirements – Requirements are generally intended to be principles-based, both to accommodate the diversity of business models in the retail payments sector and to allow for flexibility in the case of future models.
  • Tiering of measures – The Consultation Paper states that consideration is to be given to tiering of specific measures such that, for example, smaller firms may be subject to less stringent requirements.
  • Recognition of equivalent requirements under other legislative frameworks – The Consultation Paper proposes that PSPs be exempt from having to implement a framework measure if the entity is subject to a substantially similar requirement under another federal or provincial statute (such as, for example, the Bank Act or credit union legislation).
  1. Advisory Service for Small Firms

The Consultation Paper proposes the establishment of an advisory service (similar to some of the regulatory sandbox models in other jurisdictions) for small PSP firms planning to commercialize a new product, process or service. Such advisory service could guide qualified PSPs through the registration process and assist by interpreting the various framework requirements based on their specific business model.

  1. Regulatory Authority

As noted above, the Consultation Paper refers to a “designated federal retail payments regulator”. Rather than explicitly address the creation of a new regulator, the Consultation Paper states that the framework will leverage the mandate and expertise of existing regulators, in order to ensure consistency in the implementation of similar measures across federal oversight frameworks. The Consultation Paper does not explicitly address which regulator will supervise those PSPs that are not currently subject to federal oversight.

Finally, the Consultation Paper provides that the regulator would have access to a combination of compliance tools that would allow for effective intervention with any type of PSP, set out in more detail in Annex C to the Consultation Paper, and including the issuance of guidelines, annual filing requirements, on-site examinations, and the ability to issue administrative penalties and compliance orders.

For more information about our firm’s Fintech expertise, please contact the authors and see our Fintech group page.