Insights on cybersecurity, privacy and data protection law

FDIC Issues Proposed Guidance on Best Practices for Third-Party Lending: Implications for Canadian Banks and Lenders

Posted in Financial, FinTech, Payments
Ana BadourD.J. LyndeDan Doliner


The FDIC recently released for comments a proposed guidance with respect to third-party lending (the “Proposed Guidance”). While subject to potential revisions following the FDIC’s review of comments, the Proposed Guidance provides valuable insight into current regulatory trends relating to marketplace lending.

The Proposed Guidance defines “Third-Party Lending” as lending arrangements that rely on a third party to perform a significant aspect of the lending process, including: marketing; borrower solicitation; credit underwriting; loan pricing; loan origination; customer service; consumer disclosures; regulatory compliance; loan servicing; debt collection; and data collection (“Third-Party Lending”).

Third-Party Lending includes:

  1. Originating loans for third parties: a financial institution serving as the originator for an entity.
  2. Originating loans through, or with, third-parties: a financial institution authorizing third parties to offer loans on the financial institution’s behalf.
  3. Financial institutions originating loans through third party platforms: A third party providing nearly end-to-end lending platform for the financial institution’s use.

Third-party lending would therefore include partnerships between banks and non-bank lenders, such as online lenders and marketplace lenders.

Third-Party Lending arrangements may enable financial institutions to enhance lending services for their customers, including by offering credit products at lower costs. However, third-party lending arrangements present increased risks.

The FDIC views financial institutions (including their boards and management) as ultimately responsible for lending activities involving third-parties. The Proposed Guidance sets forth safety and soundness and consumer compliance measures. These measures are intended to address risks related to Third-Party Lending, and increase financial institutions’ ability to be compliant with all applicable legal requirements.

While not directly applicable to Canadian financial institutions in their Canadian operations, this Proposed Guidance is instructive as it sets out a list of best practices for financial institutions entering into third-party lending arrangements. In addition, the Proposed Guidance could apply to a Canadian entity proposing to enter into a Third-Party Lending relation with a US financial institution in the US market.

Financial Risks Arising from Third-Party Lending Relationship

Financial institutions dedicate significant resources to the development of lending operations, supervision, standardization and quality assurance. When engaging in Third-Party Lending, a financial institution becomes dependant on the third-party’s own operational processes and standards, and loses some of its ability to control the lending process. Such dependency and reduced control exposes the financial institution to various risks.

The FDIC lists certain key risks to consider prior to engaging a third-party for the purpose of lending:

  1. Strategic Risk: inconsistencies between the business strategy of the financial institution and the business strategy of the third-party.
  2. Operational Risk: integration with, and exposure to, a third-party’s lending process, creates operational complexity and reduces the financial institution’s operational control.
  3. Transaction Risk: the processing of the transactions is done by the third-party in accordance with the third-party’s standards and protocols, which may be less comprehensive than the financial institution’s.
  4. Pipeline and Liquidity Risk: if loans, originated through third-parties, are expected to be sold, and if the third-party is unable to consummate the loan as agreed, pipeline risk, and the resulting liquidity and financial risk, arise.
  5. Model Risk: financial institutions may become exposed to risks relating to flaws in financial models developed and used by third-parties.
  6. Credit Risk: third-parties may apply inadequate credit risk management processes (e.g., underwriting, credit check and assessment), which in turn may adversely impact financial institutions.
  7. Compliance Risk: in most cases, third-parties will devote fewer resources (compared to financial institutions) to compliance assurance, thus exposing the financial institution to risk of noncompliance (including with respect to consumer protection, bank secrecy and anti-money laundering requirements).

Mitigating Risks – The Third-Party Lending Risk Management Program

To reduce and manage risks associated with Third-Party Lending, the FDIC recommends that financial institutions develop and adopt a risk management program, defining the financial institution’s policies regarding all stages of a relationship with a third-party:

  1. Pre-engagement due diligence: due diligence and assessment of potential risks to take place prior to entering into contract with a third-party.
  2. Contract structuring: predefining contractual mechanisms that should be included in any agreement with a third-party in order to protect the financial institution. Such contractual mechanisms should, for example, refer to:
    1. Control and supervision over third-parties.
    2. Undertaking by third-parties to implement policies required by the financial institution.
    3. Financial institution’s access to third-parties’ data for the purpose of adequate audit and supervision.
    4. Adequate representations and indemnification undertakings by third-parties.
  3. Review and oversight (during the engagement): procedures addressing all aspects of integrated lending operations with a third-party, including:
    1. Predefined limits on the scope of the Third-Party Lending activity (including definition of types of loans and requirements for subprime products).
    2. Minimum performance standards which must be met for a third party to be engaged by the financial institution.
    3. Monitoring and reporting protocols (including with respect to third-parties’ vendors).
    4. Establish standards and quality assurance processes for credit underwriting.
    5. Provide a detailed process for consumer complaints, addressing reporting and timing for response.
    6. Appointment of compliance officer and definition of the related resources, authorities and reporting obligations.
    7. Standards and protocols for credit underwriting and administration.
    8. Capital adequacy, loss recognition and liquidity.
    9. Bank Secrecy Act/Anti-Money Laundering.
    10. Standards for information technology and customers’ data protection.
    11. Occasional transaction testing by the financial institution.

Takeaways for Business

The Proposed Guidance provides insight into best practices from a regulatory perspective in respect of Third-Party Lending. As partnerships between banks and non-banks continue to increase in Canada, Canadian banks and lenders involved in Third-Party Lending may find the Proposed Guidance helpful.

For more information about our firm’s Fintech expertise, please see our Fintech group page.

McCarthy Tétrault Advance™: 6th Annual Privacy Law Update (Nov. 2, 2016)

Posted in Cybersecurity, Data Breach, Privacy
Returning for a 6th year, our Annual Privacy Law Update will review what’s new in privacy law. This year’s focus is on the ‘hot button’ issue of employees – snooping, unauthorized access, misconduct and employee-caused breaches. As you have come to expect, this session will provide practical advice for navigating both common and complex privacy law issues and is presented by a panel of our lawyers with leading expertise in this area.

Along with privacy case updates, we will be providing insight on:

  • Vicarious liability of employers
  • Regulatory consequences and sanctions
  • Employer’s obligation to monitor
  • Record keeping, notification and disclosure under the PIPEDA amendments
Join our lawyers Christine LonsdaleKirsten Thompson, and Tim Lawson for what is sure to be a compelling session.

Note: For those participants who cannot join us in-person, we are offering this program via webinar. If you are interested in this alternative, please select the appropriate option during the online registration process. All instructions and information on how to access the webinar will be forwarded in English only a few days before the event.

This program qualifies for up to 1.5 hours of eligible educational activity or CPD/MCE credit under the mandatory education regimes in British Columbia, Ontario and Québec.

Thank you for confirming or declining this personal invitation.

For questions about this seminar, please contact

11:30 a.m. — Registration
12:00 p.m. — Session begins
1:30 p.m. — Session ends
McCarthy Tétrault
53rd Floor Conference Centre
TD Bank Tower
66 Wellington Street West
Toronto ON M5K 1E6
McCarthy Tétrault Advance™

Building Capabilities for Growth

Still Good Enough? Amendment to EC Decision on “adequacy” of Canadian Privacy Law in the Works

Posted in European Union, Legislation, Privacy
Keith Rose

Potential amendments could mean Canadian businesses receiving personal information from Europe will have more exposure to the differences in the data protection laws and enforcement regimes in the EU member states.

Readers of this blog will be aware that European privacy law has been in flux in the wake of the Schrems decision, which struck down the EU-US Safe Harbour regime for transfers of personal information.  (See previous coverage here, here, here, here, and here.)

While the direct impact of that decision was limited to Safe Harbour, the principles it set out were widely anticipated to have broader implications. Some clues have now emerged as to how these implications will play out.

On October 3, the European Commission presented draft decisions amending a number of existing “adequacy” decisions, including the decision applicable to Canada, as well as the decision on standard contractual clauses (or “SCCs”).

The amendments have not yet been publicly released.  However, according to the summary of the meeting of the “Committee on the protection of individuals with regard to the processing of personal data and on the free movement of such data” (aka the “Article 31 Committee”):

…the purpose of both draft decisions is to cure the illegality that follows from the findings in the Court of Justice’s Schrems ruling. In Schrems, the Court invalidated Article 3 of the Safe Harbour adequacy decision because it found that the Commission exceeded its powers in imposing limitations on the powers of national supervisory authorities (“DPAs”) to suspend and prohibit data flows. Since a comparable provision restricting the powers of DPAs is present in the existing adequacy and SCCs decisions, the main objective of the proposed draft amending decisions is to remove any such restriction, thereby ensuring that the DPAs can use all the powers provided under EU and national law.

From this description, it seems likely that the amendment will (at least) modify Article 3 of the Canadian adequacy decision, to make it clear that DPAs will have full and independent authority to review any transfers to Canada and apply any remedies available under their respective national laws.

The same is presumably true for the other affected decisions, including Article 4 of the SCCs decision.

If true, this will mean that Canadian businesses on the receiving end of transfers of personal information from Europe (and all businesses relying on the SCCs) will have more exposure to the differences in the data protection laws and enforcement regimes in the member states.  This confirms what we predicted would be a likely consequence of the Schrems decision.

Some of these differences will be harmonized by the GDPR, when it comes into full effect on May 6, 2018.  However, that will bring its own challenges, including new obligations that will be applied extraterritorially to businesses offering goods or services in the European market, backed by the potential for hefty monetary penalties that can reach up to the greater of €20 M or 4% of an organization’s global after-tax revenues.

However, there does not appear to be any suggestion that these amendments will modify the core determination that Canadian law provides adequate protection of personal information.  So, at least in the short term, it will continue to be legal to transfer European personal information to Canada.

The Article 31 Committee has not yet taken any decision on the proposed amendments.  A further meeting will be convened in “the coming weeks”, after the member states have an opportunity to review and consider the documents.

CSA Issues New Guidance on Cybersecurity

Posted in Cybersecurity, Regulatory Compliance
Sonia StruthersCharles Morgan

Cybersecurity is top of mind for corporate boards and securities regulators alike.

On September 27, 2016, the Canadian Securities Administrators (“CSA“) issued CSA Staff Notice 11-332 – Cyber Security (the “2016 Notice”).  The 2016 Notice updates the CSA’s previous notice on the same topic, CSA Staff Notice 11-326 Cyber Security (the “2013 Notice”) for reporting issuers, registrants and regulated entities.

As the CSA acknowledges, since the 2013 Notice was published, the cybersecurity landscape has evolved considerably, as cyber attacks have become more frequent, complex and costly.  Citing two recent studies by PriceWaterhouseCoopers and Ponemon, the CSA noted in the 2016 Notice that:

  • In 2015, 38% more cyber security incidents were detected than in 2014; and
  • The average total cost of a data breach for the companies participating in the 2016 Ponemon survey stood at USD$4 million.

Summary of CSA Cybersecurity Initiatives

In the 2016 Notice, the CSA first provides a summary of its recent initiatives to monitor and address cyber security risks in order to improve overall resilience in our markets.

For example, noting the failure of many issuers to fully disclose their exposure to cyber risks, the 2016 Notice states that CSA members intend to re-examine the disclosure of some of the larger issuers in the coming months and, where appropriate, will contact issuers to get a better understanding of their assessment of the materiality of cyber security risks and cyber attacks.

Second, the 2016 Notice notes that some CSA members are gathering data about registrants’ cyber security practices pursuant to a risk assessment questionnaire that was sent to a large number of registered firms in May 2016. A more targeted desk review is planned for the remainder of 2016, which will assess in more detail the areas discussed in regular compliance reviews.

Third, the CSA notes current initiatives on enhancing cross-border information sharing among regulators related to cyber security.

Cybersecurity Resources

The 2016 Notice also provides links and references to a number of particularly helpful cyber security resources that have been published by various financial services regulatory authorities and standard-setting bodies in an effort to improve the preparedness of market participants to deal with cyber incidents.  Such resources include:

  • IIROC Cybersecurity Best Practices Guide
  • IIROC Cyber Incident Management Planning Guide
  • Securities and Exchange Commission (SEC) Division of Corporation Finance Disclosure Guidance
  • The National Institute for Standards and Technology (NIST) Cybersecurity Framework
  • The Office of the Superintendent of Financial Institutions (OSFI) Cyber Security Self-Assessment Guidance

As summarized in the 2016 Notice, these publications highlight the need for an organization to:

  • manage cyber security at an organizational level with responsibility for governance and accountability at executive and board levels;
  • organize its cyber security activities at a high level: Identify, Protect, Detect, Respond, and Recover;
  • establish and maintain a robust cyber security awareness program for staff;
  • formulate a clear understanding of the business drivers and security considerations specific to its use of technology, systems and networks;
  • understand the likelihood that an event will occur and the resulting impact in order to determine the acceptable level of risk appetite according to its risk tolerance, budget and legal requirements;
  • manage cyber security risk exposures that arise from using third-party vendors for services;
  • consider methodology to protect individual privacy as well as any obligations to report cyber security breaches to a regulatory authority;
  • consider whether to share information about cyber incidents with Market Participants;
  • communicate, collaborate and coordinate with other entities;
  • establish plans to restore any capabilities or services that may be impaired due to a cyber incident in a timely fashion; and
  • treat cyber security programs as living documents that will continue to be updated and improved on an ongoing basis.

CSA Expectations

Finally, the 2016 Notice sets out the CSA’s expectations for market participants on a going-forward basis.  In particular:

  • Reporting Issuers: To the extent that an issuer has determined that cyber risk is a material risk, CSA members expect that issuers should:
    • provide risk disclosure that is as detailed and entity specific as possible;
    • address in any cyber-attack remediation plan how the materiality of an attack would be assessed to determine whether and what, as well as when and how, to disclose in the event of an attack; and
    • consider the impact on the issuer’s operations and reputation, its customers, employees and investors.
  • Registrants: CSA members expect that registrants continue to remain vigilant in developing, implementing and updating their approach to cyber security hygiene and management. Dealers should review and follow guidance issued by self-regulatory organizations such as IIROC and the MFDA.
  • Regulated entities: CSA members expect that regulated entities examine and review their compliance with ongoing requirements outlined in securities legislation and terms and conditions of recognition, registration or exemption orders, which include the need to have internal controls over their systems and to report security breaches. The CSA members also expect regulated entities to adopt a cyber security framework provided by a regulatory authority or standard-setting body that is appropriate to their size and scale.



Canada’s Competition Commissioner Emphasizes Innovation, Highlights Fintech Market Study

Posted in Big Data, Financial, FinTech
Dan DolinerAna BadourKirsten ThompsonDonald Houston

Canada’s Commissioner of Competition, John Pecman, spoke on October 6th, 2016 to the Canadian Bar Association’s Competition Law Fall Conference, addressing the link between competition and innovation and providing updates on the Fintech market study launched by the Competition Bureau earlier this year.

Competition Drives Innovation

The Commissioner noted that new disruptive technologies challenge not only traditional business but also regulators. Governments and regulatory bodies across Canada are developing strategies to support such innovation (see our recent post on related initiatives by the OSC).

“Competitive intensity fosters innovation”, noted the Commissioner. He remarked that competition pushes business to develop better products and services, production techniques and business models and that the Competition Bureau promotes “competitive intensity” through its efforts to increase compliance with the law and by advocating for a pro‑competitive approach to regulation.

The Fintech Market Study

The Bureau launched a Fintech market study in May with the goal of better understanding how it could support the growth of Fintech. Fintech is widely expected to disrupt the financial sector and generate benefits for both businesses and consumers. As part of the study, the Bureau interviewed more than 50 industry stakeholders, including more than 20 Fintech start‑ups.

In early 2017, the Bureau will invite a broad range of industry stakeholders and federal and provincial regulators for a workshop. The workshop will serve as a forum for discussion about the regulatory challenges faced by Fintech and possible approaches that could enhance the efficiency and effectiveness of Canada’s financial services sector. The ultimate goal is to create incentives to drive innovation for the benefit of consumers, businesses and the Canadian economy (for a detailed review of the interplay between regulation and Fintech innovation, please see the report “FinTech in Canada: British Columbia Edition” co-authored by the Digital Finance Institute and McCarthy Tétrault). The Bureau expects to release its report in late 2017 for public comment.

The Commissioner’s remarks indicate the commitment of the Competition Bureau to use its authority and jurisdiction to support innovation in general, and Fintech innovation in particular. The full text of the Commissioner’s remarks is available here.

For more information about our firm’s Fintech expertise, please see our Fintech group’s page.

NY State Introduces Cybersecurity Regulations for Financial Services: Implications for Canadian Business

Posted in Cybersecurity, Financial, FinTech, Legislation, Regulatory Compliance
Dan DolinerFraser Dickson

The New York State Department of Financial Services announced its  first state-level regulation for cybersecurity. The proposed regulation would apply to regulated banks, insurance companies, and other financial services institutions and has implications for Canadian organizations doing business with these entities.

On September 13, 2016, the New York State Department of Financial Services (“DFS“) announced a proposed new cybersecurity regulation (the “Regulation”) that will apply to banks, insurance companies, and other financial services institutions regulated by the DFS. The Regulation is intended to protect both the information technology systems of regulated entities and the non-public customer information they hold from the growing threat of cyberattack and cyber-infiltration.

Following a 45-day notice and public comment period, the Regulation will proceed to final issuance and become effective on January 1, 2017, followed by a transition period. The first annual certification (described below) will be due on January 15, 2018.

The Regulation is indicative of a trend towards increased cybersecurity scrutiny of securities and related sectors both globally (see our previous posts here and here) and in Canada (see our previous post here). The Regulation will likely serve as a best practices guidance document even for organizations that are not regulated by the DFS and Canadian regulators are no doubt watching this development closely.

The Regulation’s Requirements

The Regulation requires action in four key areas, summarized below:

  1. Establishing a cybersecurity Program
  2. Establishing a cybersecurity Policy
  3. Designating Chief Information Security Officer
  4. Reporting and records requirements

1. Establishing a Cybersecurity Program

Covered Entities (meaning any person or entity operating under a license, registration or similar authorization under the banking insurance and financial services laws of the State of New York) will be required to establish and maintain a cybersecurity program designed to ensure the confidentiality, integrity and availability of the Covered Entity’s information systems (the “Cybersecurity Program”). The Cybersecurity Program must fulfill the following functions:

(1) identify internal and external cyber risks;

(2) construct defensive infrastructure, policies and procedures to protect the Covered Entity’s information systems;

(3) enable detection, response to, and recovery from cybersecurity events (such as unauthorized access to information systems);

(4) fulfill regulatory reporting obligations.

To enable each Covered Entity to respond flexibly according to its own needs, Covered Entities have been given discretion with respect to the precise format of their Cybersecurity Programs. However, the Regulation requires that all Cybersecurity Programs address the following:

  • Penetration Testing and Vulnerability Assessments: annual penetration testing and quarterly assessment of the information system’s vulnerability.
  • Audit Trail System: a system that allows complete reconstruction of all financial transactions; detection and response to cybersecurity events; logging of all privileged authorized user access; protection of data and hardware from alteration; logging of system events; and retention of all audit records for six years.
  • Access Privileges: need-to-know limitation of access privileges to information systems, with periodic review.
  • Application Security: establishment of written procedures to ensure secure development (both in-house and external) of  applications.
  • Risk Assessment: annual written risk assessment of the Covered Entity’s information systems providing  (1) criteria for the evaluation and categorization of risks; (2) criteria for the assessment of the confidentiality, integrity and availability of information systems, including adequacy of existing controls; and (3) description of the risk-mitigation process.
  • Personnel and Intelligence: engagement of skilled cybersecurity personnel to enable compliance, along with adequate training
  • Multi-Factor Authentication: requires that access to Covered Entities’ information systems shall be done through multi-factor authentication.
  • Data Retention: requires the timely destruction of data, except where data retention is required by law.
  • Training and Monitoring: Requires the Covered Entity to implement both regular cybersecurity training and systems for monitoring Authorized Users’ activity.
  • Encryption: all nonpublic information shall be encrypted at all times.
  • Incident Response Plan: Covered Entities should establish a written incident response plan to promptly respond to, and recover from, any cybersecurity event.
  • Third Party Information Security Policy: implementing procedures to ensure the security of information systems and information that are accessible to, or held by, third parties doing business with the Covered Entity.

This last requirement is interesting as it potentially impacts Canadian providers to Covered Entities. Such Canadian providers can expect their clients will be putting in procedures in place that identify risks related to third parties; establish cybersecurity standards required to be met by third parties, and conduct annual due diligence evaluations of the adequacy of those third party standards. Such procedures are also to include “implementing preferred contractual provisions for agreements with third parties”, including provisions requiring multi-factor authentication, encryption, notice of a cybersecurity event, identity protection, protection against malware, and audits of the third party service provider by the Covered Entity. As a result, Canadian businesses that are service providers to Covered Entities may wish to get ahead of customer inquiries (or demands) and begin proactively reviewing contracts and formulating their approach to risk tolerance.

2. Establishing a Cybersecurity Policy

Covered Entities are also required to implement and maintain a written cybersecurity policy which will detail the policies and procedures for the protection of the Covered Entity’s information systems. There is nothing surprising about what is required in such Policy, although there is an explicit requirement for the Covered Entity’s board of directors, or equivalent governing body, to review the Cybersecurity Policy as frequently as necessary, and at least once a year.

3. Designating a Chief Information Security Officer

Covered Entities will be required to designate a “qualified” Chief Information Security Officer (“CISO”) responsible for the Covered Entity’s Cybersecurity Program and Cybersecurity Policy (interestingly, the function of CISO can be outsourced to a third party, under certain conditions).

The CISO shall report, at least bi-annually, to the Covered Entity’s board of directors or equivalent governing body, on the following: (1) the confidentiality, integrity and availability of the Covered Entity’s information systems; (2) exceptions to the Cybersecurity Policy; (3) cyber risks to the Covered Entity; (4) effectiveness of the Cybersecurity Program; (5) proposed steps to remediate any inadequacies identified therein; and (6) summary of all material cybersecurity events that affected the Covered Entity during the time period addressed by the report.

4. Reporting and Records Requirements

Covered Entities are required to notify the regulator, as promptly as possible but no later than 72 hours, of any cybersecurity event that may reasonably materially affect the normal operation of such Covered Entity’s information systems or compromise the non-public information it holds.

Covered Entities shall certify annually that the Covered Entity is in compliance with the requirements set forth in the Regulation. All records supporting such certificate must be retained for a period of five years.

Implications for Canadian Business

Are you a third-party vendor of a New York regulated financial institution? The Regulation could affect your business (see above final point under Establishing a Cybersecurity Program).

Section 500.11 of the Regulation mandates significant new due diligence obligations in relation to third party service providers. If you are a third-party vendor (for instance, a payroll, data processing, or software provider) of a regulated New York financial services or insurance institution, then that institution now has the obligation to report any cybersecurity event you may have if it’s likely to affect the Covered Entity’s business. Covered Entities will now also have the obligation to conduct periodic assessments of your internal processes for handling their non-public information, to obtain representations and warranties from you as to the soundness of those processes, and to make contractual provision for all of the above, which may require revisions to your existing contracts.

Canadian businesses should already be thinking about many of these issues, especially in light of the recent amendments to PIPEDA, which should see draft regulations on many similar issues released soon.

Furthermore, while this Regulation is the first of its kind issued by a US state government, organizations having clients in other US jurisdictions should understand that matching or similar regulations are likely not far off.

Similarly, while Canadian regulators in several jurisdictions have issued their own guidance documents with respect to cybersecurity in the financial services sector, New York’s position as the world’s financial capital suggests that the Regulation will watched closely, including by Canadian courts and regulators.


Canada’s First Regulatory Sandbox for Fintech? OSC Announces Plans for “OSC LaunchPad” Innovation Hub

Posted in Financial, FinTech, Regulatory Compliance
Ana BadourGenevieve Pinto

OSC chair Maureen Jensen has announced that the OSC plans to launch an innovation hub for fintech entities. “OSC Launchpad” will be the first fintech hub for a Canadian securities regulator.

Securities regulation in Canada impacts a number of fintech business models (including companies offering online advising, peer-to-peer lending, crowdfunding platforms and angel investor organizations). The OSC had also previously issued a notice on peer-to-peer lending, inviting those operating in this sector to discuss with OSC Staff and reminding prospective marketplace lenders that certain prospectus and registration requirements may be applicable to them, depending on their business model.

OSC Launchpad will be staffed by a dedicated team who will work directly with fintech companies  to help them navigate Ontario’s securities laws.  The OSC says it will work to tailor regulation and oversight for fintech companies to foster innovation, and to reduce regulatory burden, while ensuring investors remain protected.

OSC Launchpad arrives as many jurisdictions (including the UK, Singapore and Australia) launch their own “regulatory sandboxes” seeking to create a regulatory “safe space” in which businesses can test innovative products and services without immediately incurring all the normal regulatory consequences of engaging in such activity.  In Canada, the Competition Bureau is also in the process of completing a market study focused on how innovation in the fintech sector is impacting consumers and businesses, with the results intended to be published in the spring of 2017, seeking to determine whether there is a need for “regulatory reform to promote greater competition while maintaining consumer confidence in the sector.”

For more information on regulatory sandboxes in other jurisdictions, please see the report “FinTech in Canada: British Columbia Edition” co-authored by the Digital Finance Institute and McCarthy Tétrault. For more information about our firm’s fintech expertise, please see our Fintech group‘s page.

Deletion of Browser History to Prevent Embarrassment Not Spoliation

Posted in E-Discovery, Privacy
Marissa Caldwell

In Catalyst Capital Group Inc v Moyse2016 ONSC 5271 the Ontario Superior Court considered whether the defendant, Brandon Moyse, who deleted his Internet browsing history from his personal computer in the face of a preservation order, had intentionally destroyed relevant evidence, giving rise to spoliation.  Spoliation is an evidentiary rule that gives rise to a rebuttable presumption that destroyed evidence would be unfavourable to the party that destroyed it.


The underlying action arose after Moyse, who had been employed by Catalyst, left the company to take a position with  a competing investment management firm. Catalyst brought an action for breach of confidence for the alleged misuse of confidential information regarding  a target company in which Catalyst had unsuccessfully attempted to acquire an interest. Subsequently, the target company was successfully acquire by Catalyst’s competitor, and Catalyst claimed Moyse had delivered  Catalyst’s confidential information to its competitor and its competitor had used it in the successful acquisition.

After Moyse had joined the competitor company and before this action was commenced, Catalyst obtained a consent order requiring Moyse and the competitor company to preserve and maintain all records in their possession, power or control “relating to Catalyst and/or related to their activities since March 27, 2014 and/or related to or was relevant to any of the matters raised in the Catalyst action.”  The order required specifically that Moyse turn over his computer to counsel for forensic imaging of the data stored on it.

However, before turning his personal computer over to his lawyer, Moyse deleted his personal browsing history and purchased software entitled “RegCleanPro”  to further delete registry information. In addition, Moyse wiped clean his Catalyst-issued mobile device before returning it.


After determining that the elements of an action for breach of confidence could not be made out on the facts of the case, the Court turned to the question of spoliation.  A finding of spoliation requires four elements to be established:

  • the missing evidence must be relevant;
  • the missing evidence must have been destroyed intentionally;
  • at the time of destruction, litigation must have been ongoing or contemplated; and
  • it must be reasonable to infer that the evidence was destroyed in order to affect the outcome of the litigation.

In explaining why he had erased his browsing history, Moyse said he was worried that Catalyst would be able to access his personal internet browsing history and that, in light of the anticipated court proceedings, this history might become part of the public record. In particular, Moyse was concerned that his having accessed adult entertainment websites would become public.

Moyse stated that he did not believe it was improper to delete his internet browsing history as the order did not require him to maintain his computer in “as is” condition.  Because the focus of the preservation order was to maintain and preserve documents, he felt that by deleting his browsing history, he was deleting personal information not relevant to the litigation.  Moyse was aware that simply deleting his browsing history through the browser would not fully erase the record so he searched online for a more permanent solution.  He purchased the first program he found, RegCleanPro.  He ran the RegCleanPro software to clean his computer registry the day before he delivered his computer to his lawyers.

The Court accepted Moyse’s evidence as to why he had deleted his internet browsing history.  This was partially based on the fact that Moyse had a girlfriend and that it was understandable that he would not want his browsing of adult entertainment websites included in the record. It was concluded that Moyse had not intended to destroy relevant evidence and that this precluded any finding of spoliation. Catalyst contended that Moyse could have looked at Catalyst documents related to the target company in his dropbox before erasing his browsing history.  This argument was dismissed as there was no evidence that Catalyst documents had ever been transferred into Moyse’s dropbox and because the forensic image of his computer showed that the last time Moyse accessed his dropbox pre-dated his working on the target company file.

Regarding the mobile device, the Court accepted that Moyse wiped it to delete pictures and texts of a personal nature.  Because Catalyst maintained access to all of the emails on the device, no spoliation was found.

Justice Newbould found that Catalyst had not established that Moyse had intentionally destroyed evidence in order to affect the outcome of the litigation.  As such, there was no basis to find or infer a presumption that Moyse destroyed evidence that would be unfavourable to him.

Catalyst had also argued that spoliation should be recognized as an independent tort.  While Canadian courts have allowed the pleading of a tort of spoliation to proceed to trial, there were no cases referred to in Catalyst’s submissions that actually recognized spoliation as a tort.  Due to the finding that there was no spoliation, the Court did not consider whether such a tort exists in Canada.

Takeaways for Business

This decision exposes reasons why a carefully drafted preservation order is essential.  If the order had stated that Moyse turn over his computer in “as is” condition and he had still deleted his browsing history, Moyse’s credibility as a witness would likely have been called in to question.  If the order had stated that Moyse turn over his computer in “as is” condition and he had left it in the same condition, forensic experts could have definitively known if he had confidential information to share.

In short, a preservation order should state everything that is to be preserved, and the manner in which it is to be preserved.


FinTech in Canada: A Report Studying The Canadian FinTech Ecosystem

Posted in Big Data, Financial, FinTech
Genevieve PintoDan Doliner

“FinTech in Canada: British Columbia Edition” brings insight from more than a hundred stakeholders in the Canadian FinTech sector on challenges and opportunities, provides a comparative overview of the FinTech ecosystem in Canada and 16 other countries, including the U.K., U.S. and Australia and offers recommendations to advance FinTech in Canada.

The Digital Finance Institute and McCarthy Tétrault LLP have co-authored a comprehensive report, “FinTech in Canada: British Columbia Edition” studying the Canadian FinTech ecosystem. The report reviews the current FinTech landscape in Canada, with a special focus on Vancouver, and a comparative overview of FinTech in 16 international jurisdictions. A product of a unique internationally collaborative process, the report brings together insights of key stakeholders in Canadian FinTech, including banks, government agencies, tech firms, law firms, advisory firms, universities, VCs and industry associations.

The report maps the FinTech ecosystem in Canada, and its strengths, challenges and opportunities with a view to understanding the future of FinTech, in Canada and globally. The report offers recommendations and a roadmap for Canada to capitalize on its FinTech opportunity and be an international leader in FinTech.

FinTech in Canada: British Columbia Edition” is a collaboration between McCarthy Tétrault LLP’s FinTech group and the Digital Finance Institute. The Digital Finance Institute is a prestigious Canadian-based think tank for FinTech established in 2013 with a mandate to address the balance of innovation and regulation; support initiatives for financial inclusion; and advocate for diversity in FinTech. K&L Gates LLP, a global law firm, contributed insight and content for the report regarding the U.S. and Australian FinTech ecosystems.

For the full report, click here.

For more information about our firm’s Fintech expertise, please see our Fintech group page.

No Waiver of Privilege for Contractor Emails on Company Account

Posted in E-Discovery, Privacy
Dan Doliner

Can a company which provides a corporate e-mail account to a contractor, and then gets into a legal dispute with that contractor, use the contractor’s emails in that corporate account in the litigation? The answer appears to be no, in certain circumstances.

The Facts

A company engaged a contractor who provided it with certain services, and in this context, the company provided the contractor a corporate e-mail account. The contractor used this corporate e-mail account to exchange e-mails with his lawyer about a legal dispute he had with the company. Can the company use these e-mails in the litigation with the contractor? This is the main question in a recent decision of the Ontario Superior Court of Justice, in Narusis v. Bullion Management Group, 2016 ONSC 4731 .

The defendant, Bullion Management Group Inc. (“BMG”) employed the plaintiff, Nathan Narusis (“Narusis”), beginning in 2007. In December 2011, BMG and Narusis agreed that Narusis would continue to provide BMG with services, but as a contractor, through a corporation controlled by Narusis.

As an employee of BMG, Narusis was provided with a corporate e-mail account; he continued to use the same corporate account when he became a contractor. In January 2011 BMG distributed to its employees an “Employee Policy & Procedures Manual” (the “Policy”). This Policy states that e-mails exchanged through BMG’s corporate e-mail account are not guaranteed to be private and could be subject to inspection. The Policy required all e-mail account users to sign an acknowledgement that they understood and would abide by the terms of the Policy. Narusis did not sign such acknowledgement.

In September 2012 BMG terminated the working relationship with Narusis. In connection with the termination, Narusis launched an action against BMG.

As part of discovery, BMG searched its corporate e-mail server for e-mail correspondence relating to Narusis. BMG sent copies of relevant e-mail communications to its counsel. BMG’s counsel reviewed the e-mails and noticed that some of the e-mails were communications between Narusis and one or more of his lawyers. BMG’s counsel immediately stopped reviewing those e-mails, and sealed them pending the determination of the court in their regard.

BMG filed a motion with the court, seeking an order deeming the e-mails not subject to solicitor-client privilege. After hearing the motion, a Case Management Master dismissed it. The Master determined that e-mails exchanged between Narusis and his lawyers, despite being sent through BMG’s e-mail server, were subject to solicitor-client privilege, and therefore, could not be admitted as evidence.

BMG appealed, requesting the court to set aside the Master’s decision.

The Court’s Decision: Dismissal

In its appeal, BMG raised two key arguments:

  1. The court should apply the legal tests relating to protection of privacy, and thus find, on a balance of interests, that the interest of submitting evidence (in this case, Narusis’s e-mail exchange with his lawyers) prevails over Narusis’s right to privacy.
  2. Narusis waived solicitor-client privilege over his communications with his counsel by corresponding with his counsel via Narusis’s corporate e-mail account, thus, making these e-mails available for BMG to review.

Privacy Protection Rules Do Not Apply to Solicitor-Client Privilege

The court determined that the e-mail exchange between Narusis and his lawyer was subject to solicitor-client privilege and therefore the legal tests relating to privacy were not applicable.

The court noted that solicitor-client privilege is distinguished from the more general protection of privacy. These two rights are related but not the same. Narusis’ e-mail exchange with his counsel was an interaction in which counsel was engaged in providing legal advice or ‘otherwise acting as a lawyer.’[1] In addition (and as further discussed below), Narusis had a reasonable expectation that the e-mail exchange with his lawyer would remain confidential. Thus, the e-mails were subject to solicitor-client privilege.

Lederer J. noted that solicitor-client privilege is fundamental to the proper functioning of the Canadian legal system. Without solicitor-client privilege, access to justice and equality of justice would be compromised.[2] The court further noted that ‘solicitor-client privilege must be as close to absolute as possible to ensure public confidence and retain relevance.’[3]

Solicitor-Client Privilege: Sending E-mails Via Corporate E-mail Account Does Not Constitute Waiver

The court concluded that the facts of the case indicated that Narusis had not, implicitly or explicitly, waived his solicitor-client privilege over the e-mails.

BMG distributed the Policy to its employees, stating that e-mail transmitted through the corporate account is ‘not guaranteed to be private’. The court found that the Policy did not forbid use of the corporate e-mail account for personal matters, and that despite the Policy ‘not guaranteeing’ privacy, Narusis had a reasonable expectation of privacy.

The court considered Narusis’ particular circumstances: he refused to acknowledge the Policy; he was employed by BMG for several years at the time the Policy was circulated and used his corporate e-mail account according to existing practices; and he was not considered an employee at the time the relationship with BMG was severed.

Lederer J. found that Narusis did not show an intention to deliver the e-mails to anyone other than, or in addition to, his counsel. The release of Narusis’ e-mail exchange with his counsel to BMG’s review was inadvertent. In addition, there was no public disclosure of the e-mails. Once the court found that Narusis’ e-mail exchange with his lawyer was subject to solicitor-client privilege, ‘anything that purports to be a waiver that does not involve a conscious, deliberate decision, must be narrowly construed and applied.’[4]

Takeaways for Business

E-mail continues to be one of the most dominant technological tools in all aspects of business operations. Consequently, e-mail exchange will continue to play a significant role in legal disputes. This case reflects the importance of understanding the intricacies relating to the use of e-mail.

In this case, the court found that the circumstances before it do not constitute waiver of solicitor-client privilege. However, in its analysis, the court suggested that had Narusis been an employee, and/or signed the Policy, and/or personal e-mails been forbidden, the outcome may have been different. For a business, loss of solicitor-client privilege can be a detrimental blow in litigation.

The decision in this case illustrates the importance of having effective policies to administrate the use of corporate e-mail. Such policies should take into account the particular circumstances of the business by offering solutions to specific issues that are part of the environment in which the business operates. However, as shown by this case, many times a policy alone is not enough, and it must be supplemented by the appropriate management procedures and technologic tools, to allow effective control of the use of corporate e-mail.

[1] Referring to Blood Tribe Department of Health v. Canada (Privacy Commissioner), 2008 S.C.C. 44, at para. 10.

[2] Ibid, (Blood Tribe), at para. 9.

[3] Referring to R. v. McClure, [2001] 1 S.C.R. 445, at para. 35.

[4] Referring to Leggat v. Jennings, 2015 ONSC 237, at paras. 30-31.