Insights on cybersecurity, privacy and data protection law

SEC issues Guidance on Public Company Cybersecurity Risk Disclosures

Posted in Cybersecurity, Financial, Regulatory Compliance
Arie van WijngaardenKirsten Thompson

On Wednesday, February 21, 2018, the United States Securities and Exchange Commission (SEC) published cybersecurity risk disclosure guidance (the SEC Guidance) for public companies to assist them in preparing disclosure related to these types of risk and incidents. The SEC Guidance does not propose new rules or rule amendments that would impose new requirements, but rather expresses the SEC’s views within the existing disclosure framework. It is nonetheless important because, as with previous cybersecurity guidance in 2011 (see below), SEC staff can be expected to turn to it when evaluating the adequacy of disclosures.

The SEC Guidance is also important because it places new emphasis on:

  1. having appropriate cybersecurity policies and procedures in place to disclose material cybersecurity information to investors; and
  2. preventing insider trading in the context of a cybersecurity incident.

The SEC Guidance reflects statements made by the SEC’s chair Jay Clayton that “cybersecurity is critical to the operations of companies and our market” and recognizes that cybersecurity risk poses a threat to the entire US economy.

This threat has increased since the SEC issued its last interpretive guidance on Cybersecurity in 2011.  The 2011 Cybersecurity Guidance outlined the staff’s views on how companies should describe cybersecurity matters and their potential effects under existing disclosure rules. It also commented on the ways in which cybersecurity matters may affect financial statement disclosure. The 2018 Cybersecurity Guidance is similarly motivated towards promoting “clearer and more robust disclosure” by businesses, according to a statement from SEC Chairman Jay Clayton.

Cybersecurity Disclosure Requirements

There can be significant costs for companies experiencing cybersecurity incidents, including remediation costs, additional cybersecurity protection costs, increased insurance costs, opportunity costs from lost revenue, and legal costs arising from either investor actions, litigation, or regulatory investigations by government agencies.  These costs can adversely affect a company’s market value and future stock performance.  The SEC Guidance therefore recognizes investors have an interest in the disclosure of cybersecurity risks:

Given the frequency, magnitude and cost of cybersecurity incidents, the Commissioner believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.

The SEC indicated that it had designed its guidance “to be consistent with the relevant disclosure considerations that arise in connection with any business risk.” The SEC Guidance provides consideration for companies on how to address assessments of materiality, a possible duty to correct or update cybersecurity disclosures, and disclosure concerning board oversight of cybersecurity


The SEC considers information material if there is a substantial likelihood that a reasonable investor would consider the information important when making an investment decision or disclosure of the information would be viewed by a reasonable investor as having significantly altered the “total mix” of information available.  Although the disclosure requirements of Regulation S-K and Regulation S-X do not specifically address cybersecurity risk and incidents, cybersecurity risks or incidents could nonetheless be material depending upon their “nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations….[and] on the range of harm that such incidents could cause.”  Once a company discloses a cybersecurity risk or incident, it may have a legal duty to correct or update the disclosure.

Making timely and accurate disclosure of cybersecurity information can be a delicate balancing act.  Often in the context of a data breach, it can take time to gather all the information necessary to paint an accurate picture of what occurred.  Companies need to make a decision on how much information gathering is enough before disclosing to satisfy the timeliness requirement.  Importantly, the SEC Guidance clarifies that an ongoing law enforcement investigation, which often takes significant time,  is not basis on its own for non-disclosure of a material cybersecurity incident.

Cybersecurity-related disclosure also involves decisions of how much technical information to include.  While companies want to give investors an accurate picture of their cybersecurity risk profile, they may not want to alert bad actors to potential opportunities.  The SEC Guidance indicates that cybersecurity disclosure should not be so technically detailed that bad actors can use it as a “roadmap” to attack a company’s systems.  Management Discussion and Analysis (MD&A)  should discuss cybersecurity factors affecting the financial condition of a company such as costs of a cybersecurity incident, insurance and compliance costs, intellectual property loss, and expenses related to ongoing preventative efforts.

Risk Factors

The SEC Guidance flags several cybersecurity risk factors which companies should consider in their form 20-F reporting.  These include:[1]

  • the occurrence of prior cybersecurity incidents, including their severity and frequency
  • the probability of the occurrence and potential magnitude of cybersecurity incidents;
  • the adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate, discussing the limits of the company’s ability to prevent or mitigate certain cybersecurity risks;
  • the aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including industry-specific risks and third party supplier and service provider risks;
  • the costs associated with maintaining cybersecurity protections, including, if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers;
  • the potential for reputational harm;
  • existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity and the associated costs to companies; and
  • litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.

The SEC Guidance clarifies that a company experiencing a cybersecurity incident such as a distributed denial of service (DDoS) attack  cannot simply disclose the risk such an incident may occur.  The company may also need to discuss how the occurrence of the incident affects its broader cybersecurity risk profile. This is significant because mandatory cybersecurity incident reporting requirements are currently a hot topic in many jurisdictions including the United States, European Union, and Canada.

Insider Trading & Cybersecurity

Trading  by directors, officers and other corporate insiders while in possession of material nonpublic information about a security, commonly referred to as insider trading, is illegal.  The SEC Guidance renews emphasis on the prevention of insider trading in the event of a cybersecurity incident, which could be material nonpublic information.  The SEC suggests that that while a company is investigating a cybersecurity incident that has not yet been publicly disclosed, it would be prudent for the company to consider whether to restrict trading by its insiders. This restriction could extend to individuals in IT departments and digital forensics firms who may come across material nonpublic information in the response to a cybersecurity incident.

Implications for Canada

There are several implications of the SEC Guidance which affect Canadian companies.  Dual-listed companies should be aware of the SEC Guidance, and may want to update their policies and disclosure procedures accordingly. Canadian companies which are not traded in the United States may also benefit from a review of their cybersecurity disclosure practices. The fast-paced development of the cybersecurity field means that policies and procedures need to be updated on a consistent basis.

Regulators in Canada carefully monitor developments in other jurisdictions and have been active in the cybersecurity space.  For example, in October 2017 the Canadian Securities Administrators  issued guidance on cybersecurity and social media.  While the Canadian regulatory regime is different, it is informed by developments elsewhere and companies may wish to take a closer look at the SEC Guidance when reviewing their policies and practices.

[1] See p 13-14 of the SEC Guidance, available at

Adjudicating by Algorithm: The risks and benefits of artificial intelligence in judicial decision-making

Posted in AI and Machine Learning
Carole PiovesanVivian Ntiri

Carole Piovesan and articling student Vivian Ntiri’s article, “Adjudicating by Algorithm: The risks and benefits of artificial intelligence in judicial decision-making”, has just been published in The Advocates’ Journal.

Artificial intelligence is expected to penetrate every sector and industry of the global economy, with law being no exception. Its potential to bring increased efficiency matters greatly in an era in which our legal system is under scrutiny. The technology and its implications need to be better understood. The article explores the use of AI in adjudication, highlighting, as a use case, algorithm-based risk assessments in criminal proceedings.

Disclosing a Litigant’s Private Information during Judicial Proceedings is not a Privacy Breach

Posted in Legislation, Privacy, Privacy Act
Gabriel QuerryJustine Blair

It has long been settled that in civil actions, the public interest in getting at the truth will, absent special circumstances, trump the litigants’ right to privacy. In fact, the introduction of legal proceedings allows the parties, at the discovery stage, to probe into each other’s files and force the disclosure of otherwise confidential information, including private information, for the purpose of verifying the allegations of the parties. Relevant evidence thusly compelled is a permissible invasion of privacy based on the condition that it is solely used in the ongoing matter, for instance, as evidence at trial.

But what about a litigant’s private information acquired by an opponent outside pre-trial discovery? Would the disclosure of this information by the opponent in support of their pleadings amount to an actionable breach of privacy against themselves or their counsel? Not under the Privacy Act of British Columbia, according to the BC Court of Appeal in Duncan v. Lessing, 2018 BCCA 9.


In the course of a family law dispute, the wife applied for the disclosure of information regarding the husband’s ties in a number of companies. Included in the application materials were copies of the husband’s personal tax returns. The application materials were filed and sent out for service on the husband’ counsel and the companies named in the application. Five of the companies were properly served, but in two cases, the service agent left the materials with another company wholly unconnected with the litigation. The husband took issue with the disclosure of his financial information to these non-parties, alleging a violation of his privacy, and moved to sue his wife’s counsel under the BC Privacy Act’s statutory tort.

Both the trial judge and the Court of Appeal dismissed the claim, concluding that the disclosure fell outside the purview of the BC Privacy Act’s statutory tort.

Incorporation of Lawyers’ Absolute Privilege into the BC Privacy Act

The Court of Appeal found that the disclosure of private information by a lawyer in the course of judicial proceedings is specifically carved out from the statutory tort of privacy. It based its finding on subsection 2(3)(b) of the Privacy Act, which provides that “[a] publication of a matter is not a violation of privacy if […] the publication was privileged in accordance with the rules of law relating to defamation.”

To the extent that the law of defamation attaches an absolute privilege to all statements made by lawyers in the course of judicial proceedings, the Court found that the disclosure of the husband’s private financial information by the wife’s counsel was privileged and, therefore, excluded from the Privacy Act.

As explained by the Court:

[59]      The effect of s. 2(3)(b) of the Privacy Act is to incorporate the absolute privilege that applies in the law of defamation to breach of privacy claims by creating a statutory exception to the tort.

[60]      Whether the exception applies in this case depends on the answer to the following question: would the publication at issue be protected by absolute privilege if the claim were in defamation?

[61]        In this case, there is no dispute the respondents were acting in the course of their duties to their client as part of a judicial proceeding when the alleged violation of privacy occurred. The alleged violation was serving the materials that contained Mr. Duncan’s private information on the companies.

[62]        In my opinion, absolute privilege would have protected the respondents from suit had the materials contained defamatory statements because the occasion was protected. Since, according to the rules of law relating to defamation, the occasion was one to which absolute privilege attaches, the statutory exception in the Privacy Act applies. As such, there was no violation of privacy.

The Court of Appeal left for another day the question of whether absolute privilege, were it not for its incorporation in the Privacy Act, applies to breaches of privacy generally. Without closing the door to the application of absolute privilege to causes of action other than in defamation, the Court stressed that it cannot apply “to shelter counsel from all causes of action arising out of the conduct of judicial proceedings” (para. 68, emphasis from the Court), such as an action for professional negligence or malicious prosecution.

Exemption of Judicial Proceedings from the BC Privacy Act

Moreover, the Court of Appeal found that any act taken in a judicial proceeding, whether by counsel or not, was excluded from the operation of the BC Privacy Act. It based this conclusion on subpara. 2(2)(c) of the Act, which states that there is no violation of privacy when “the act or conduct was authorized or required under a law in force in British Columbia, by a court or by any process of a court”. The Court also hinted that other provisions in the Act support the conclusion that the statutory privacy tort was not intended to apply to disclosure of private information during the litigation process.


The immediate implication of Duncan is to relieve counsels and litigants, at least in BC, from the fear that, in advocating their cause and mounting their case, they expose themselves to privacy breach claims from their opponent or third parties. Although not binding in the rest of the country, Duncan will most likely be taken into account in jurisdictions whose privacy legislation contains similar provisions or jurisdictions like Québec that already witness a trend towards limiting the scope of application of privacy legislation and confidentiality obligations in the context of judicial proceedings.[1] Behind this trend is the rationale that privacy and confidentiality interests in the context of judicial proceedings are best handled by courts, which retain the power to cloak certain pieces of evidence with confidentiality orders where doing so would not unreasonably impinge upon the interest of the public in the publicity of the matter or in the search for the truth.

[1]       See for eg. 9083-2957 Québec Inc. c. Caisse populaire de Rivière-des-Prairies, 2004 CanLII 32390 (QCCA), and Société financière Manuvie c. D’Alessandro, 2014 QCCA 2332.

Bureau Releases Key Competition Policy Themes for Big Data

Posted in Big Data, Competition
Jonathan BitranDonald Houston

On February 19, 2018, the Competition Bureau (the “Bureau”) released “Big data and innovation: key themes for competition policy in Canada”. This report is a concise reiteration of the analysis in “Big data and Innovation: Implications for competition policy in Canada”, the white paper the Bureau released for consultation on September 18, 2017. In short, while big data is precipitating rapid change, the Bureau is of the view that its existing analytical principles and enforcement tools are appropriate for dealing with competition issues regarding big data.

In a prior article, we reported on the highlights of the white paper. This summary report reiterates the same themes, with its focus on (i) mergers and monopolistic practices, (ii) cartels, and (iii) deceptive marketing practices.

1.  Mergers and Monopolistic Practices

The Bureau recognizes that different types of businesses have become popular in the big data era, such as multi-sided platforms (e.g., Uber, which has riders on one side and drivers on the other) and products that rely on network effects (e.g., Facebook, which becomes more useful as more members join). This fact means that merger reviews for such businesses may not play out in the customary way.

For example, a business may be found to have market power because it owns valuable data, despite having a low market share. Also, the anticompetitive effects of a merger are typically evaluated by looking to predicted price increases or the lack thereof. That doesn’t work for free products, such as Google or Twitter, where non-price effects, such as service levels, take centre stage.

Nonetheless, these variations to the typical merger review process still fit within the existing merger review framework; the Bureau’s Merger Enforcement Guidelinescontemplate that market power does not necessarily require high shares and may include non-price effects.

Interestingly, the Bureau probed the nexus between competition law and privacy law in stating that the way a business deals with privacy matters may affect the perceived quality of its products and, therefore, privacy can be a non-price effect to be evaluated.

2.  Cartels

The Bureau clarified that its usual approach still applies where big data is involved:

  1. Hard-core cartels will be subject to criminal investigation and prosecution.
  2. Conscious parallelism, while it may reduce competitive vigour, is not prohibited by the cartel provisions of the Competition Act (the “Act”). Conscious parallelism occurs where competitors unilaterally mirror each other’s practices, but where there is no agreement between them.
  3. Facilitating practices are not in and of themselves prohibited, but maybe evidence of an agreement. Examples include pre-announcing or sharing price lists and, in the big data era, sharing pricing algorithms.

The takeaway is that while big data can lead to novel ways in which to engage in cartel behaviour, the traditional principles apply in assessing whether there has been a breach of the Act. Curiously, the Bureau flagged predictions that in the future, artificially intelligent technologies may collude without human involvement, but declined to provide guidance because such a scenario is too speculative.

3.  Deceptive Marketing Practices

Here, the Bureau continues to focus on privacy, advising that if businesses deceptively collect data from consumers, that could constitute a materially false or misleading representation, contrary to the Act.

On the other hand, the Bureau warns businesses not to use big data to deceive consumers and provides a few examples:

  • Engaging in astroturfing (i.e., fake positive reviews) or native advertising (i.e., disguising an advertisement to make it appear as if it is not advertising, but is rather a news article, for example).
  • Making ordinary selling price claims based on inaccurate data.
  • Creating personalized advertisements that are targeted to “vulnerable” consumers.
  • Making performance claims based on data from third parties that has not been substantiated.

* * *

The overall message is that, at this stage, the Bureau sees no reason to change its policy and enforcement approach in cases involving big data. The Bureau’s view is that big data is changing the landscape, but that these changes can be accommodated by the existing framework. Nonetheless, the Bureau will continue to actively monitor big data’s impact and we may see a different approach in the future.

To date, the Bureau has taken a cautious approach to enforcement action under the existing framework in cases involving big data. For example, the European Commission fined Google €2.42 billion for abuse of dominance, alleging that Google favoured its own comparison shopping service and demoted rival comparison shopping services in its search results. In contrast, the Bureau discontinued its abuse of dominance investigation into Google in 2016. In so doing, the Bureau gave notice that it will continue to monitor developments in the big data economy.

For more information about our Firm’s Competition expertise, please see our Competition group’s page.

2018 Federal Budget: Focus on Data and Data-Driven Technologies

Posted in AI and Machine Learning, Big Data, Cybersecurity, Open Banking
Kirsten ThompsonCarole Piovesan

A strong theme in the 2018 federal budget (“Budget”) released last week was its emphasis on data and data-driven technologies…and the corollary theme, keeping data and data-driven technologies secure.

Below are some of the data-focused highlights of the Budget.

Open Banking

“Open Banking” refers to an emerging financial services business model that focuses on the portability and open availability of customer data, including transactional information.  The open banking model has been mandated in the European Union and the United Kingdom, and is being reviewed in Australia. The Canadian Government first noted the potential benefits of reviewing the merits of “open banking” in Canada in the second consultation paper respecting the review of the federal financial sector framework which was released in August 2017.  More recently, the Competition Bureau has expressed support for open banking in its final report on its market study into technology-led innovation in the Canadian Fintech sector.

The Budget confirms that the Government proposes to undertake a review of the merits of open banking in order to assess whether open banking would deliver positive results for Canadians with the highest regard for consumer privacy, data security and financial stability.

As in other jurisdictions, open banking is positioned in the Budget as having the potential to increase innovation and competition, and increasing financial inclusion as specific customers or markets (e.g. small and medium sized businesses) are better served.

A key theme is also “empowering consumers” to share their financial data between their financial institution and other third party providers through secure data sharing platforms. In this manner, financial service providers will be enabled to offer more tailored products and services, on a more competitive and innovative basis.

Open banking is also touted as having the potential to provide consumers with greater transparency on the products and services offered by financial institutions, thus allowing them to make more informed decisions, and makes it easier for consumers to move and manage their money.

Big Data

With the rise of data-driven technology such as predictive analytics and artificial intelligence, the Budget recognizes the need to invest in both the technologies and skills required to capitalize on the opportunities in the area of big data. Big data has become an essential tool for progress in science, underpinning world-class research across all disciplines. Improved technologies, such as cloud computing and faster networking, allow for new opportunities to address scientific challenges.

The Budget proposes investment in support for researchers, in big data and in the equipment Canadian researchers need to succeed and lead.

This includes more than $1.7 billion over five years to support the next generation of Canadian researchers through Canada’s granting councils and research institutes. It also includes over $1.3 billion over five years for investments in the laboratories, equipment and necessary infrastructure.

Digital research infrastructure is the collection of connectivity, computing power and storage services needed to support data-intensive and computationally-intensive research.

The Budget proposes to provide $572.5 million over five years, with $52 million per year ongoing, to implement a Digital Research Infrastructure Strategy that will deliver more open and equitable access to advanced computing and big data resources to researchers across Canada. The Government intends to work with stakeholders to develop a strategy to provide more streamlined access for Canadian researchers, including how to incorporate the roles currently played by the Canada Foundation for Innovation, Compute Canada and CANARIE,

Artificial Intelligence

Last year’s Budget made several specific commitments to advancing research and innovation in the area of artificial intelligence (AI), including investments in a Pan-Canadian Artificial Intelligence Strategy.

This year’s Budget proposes a number of investments that are likely to fuel AI research and innovation, without naming AI specifically. The Budget seeks to “transform Canada’s innovation programs—making them easier to access and to use, and expanding support for Canadian companies that want to scale up and sell their innovations in the global marketplace.” It also aims to “make business regulations more efficient, and seeks to promote greater awareness and use by Canadian entrepreneurs of intellectual property, important assets that can fuel the growth of innovative businesses in the modern economy.” Below are some examples of how the Government seeks to achieve these goals under the Budget.

First, the Budget proposes heavy investment in research. Some of these investments include $925 million over five years as follows:

  • $354.7 million over five years ($90.1 million per year ongoing) to the Natural Sciences and Engineering Research Council (NSERC).
  • $354.7 million over five years ($90.1 million per year ongoing) to the Canadian Institutes of Health Research (CIHR).
  • $215.5 million over five years ($54.8 million per year ongoing) to the Social Sciences and Humanities Research Council (SSHRC).

The Budget also announces $275 million to create a new tri-council fund to support research that is international, interdisciplinary, fast-breaking and higher-risk. This fund will be administered by SSHRC.

Colleges and polytechnics will receive $140 million over five years to increase support for collaborative innovation projects involving businesses, colleges and polytechnics through the College and Community Innovation Program.

The Budget proposes investing in technologies that will advance AI innovation. Specifically, The Institute for Quantum Computing in Waterloo will receive renewed funding of $15 million over three years to continue undertaking high-calibre quantum research.

The Budget is also targeting investment in simplifying programs and regulations impacting entrepreneurs. For example, the Budget proposes consolidating the total number of business innovation programs by up to two-thirds, but is increasing the total overall funding available to entrepreneurs, small business owners and other enterprise. The goal of this reform is “to create a suite of programs that is easy to navigate and will respond to the challenges and opportunities facing Canadian businesses today and into the future.”

The Budget has earmarked $4.6 million over five years to enhance the Start-up Visa Program. These monies will focus on the client-service experience by ensuring applicants, private sector partners and immigration officials are able to process applications electronically and more efficiently.

The Government will also propose measures to support a new Intellectual Property Strategy to “help Canadian entrepreneurs better understand and protect intellectual property, and get better access to shared intellectual property.”

Finally, the Budget proposes providing $11.5 million over three years to pursue a regulatory reform agenda focused on supporting innovation and business investment. The stated goal is to “make the Canadian regulatory system more agile, transparent and responsive, so that businesses across the country can explore and act on new opportunities, resulting in benefits for all Canadians.”


New Cyber Security Strategy

With data comes data security. The Budget proposes implementing a comprehensive cybersecurity plan for Canada, consisting of investments of $507.7 million over five years, and $108.8 million per year thereafter, to fund a new National Cyber Security Strategy. The Strategy focuses on three principal goals:

  • Ensure secure and resilient Canadian systems.
  • Build an innovative and adaptive cyber ecosystem.
  • Support effective leadership and collaboration between different levels of Canadian government, and partners around the world.

New Canadian Centre for Cyber Security

They Budget also proposes a strong federal cyber governance system to protect Canadians and their sensitive personal information, and proposes to commit $155.2 million over five years, and $44.5 million per year ongoing, to the Communications Security Establishment to create a new Canadian Centre for Cyber Security.

This new Canadian Centre for Cyber Security is envisioned to establish a single, unified Government of Canada source of unique expert advice, guidance, services and support on cyber security operational matters. To establish the Canadian Centre for Cyber Security, the Budget notes that the Government will need to introduce legislation to allow various Government cyber security functions to consolidate into the new Centre (although federal responsibility to investigate criminal matters will remain with the RCMP).


The Budget proposes to provide $116.0 million over five years, and $23.2 million per year ongoing, to the RCMP to support the creation of the National Cybercrime Coordination Unit. The National Cybercrime Coordination Unit is envisioned as creating a coordination hub for cybercrime investigations in Canada and working with international partners on cybercrime. The Budget also proposes that the Unit establish a national public reporting mechanism for Canadian citizens and businesses to report cybercrime incidents to law enforcement.

Other Measures

The Budget also proposes investments in Shared Services Canada and the Communications Security Establishment to ensure that these organizations are properly resourced to address evolving IT needs and opportunities, and proactively address cyber security threats. This includes:

  • $2.2 billion over six years, starting in 2018–19, with $349.8 million per year thereafter, to improve the management and provision of IT services and infrastructure within the Government of Canada, and to support related cyber security measures.
  • $110 million over six years, starting in 2018–19, to be accessed by Shared Services Canada’s partner departments and agencies to help them migrate their applications from older data centres into more secure modern data centres or cloud solutions.

The Budget also proposed enhancing the security of taxpayer information held by the Canada Revenue Agency, and proposed providing the CRA with $30.0 million over five years to enhance the security measures that protect this information.

The Budget proposes to provide Public Safety Canada with $1.4 million in 2018–19 to continue operations of the Regional Resilience Assessment Program and the Virtual Risk Analysis Cell, programs which support assessments of critical infrastructure facilities, such as energy grids, information and communication technology networks and hospitals. The Virtual Risk Analysis Cell also promotes online information sharing across the critical infrastructure community.

Parliamentary Committee Recommends Substantial Revisions to PIPEDA

Posted in European Union, Privacy
Kirsten Thompson

On February 28, 2018, the House of Commons Standing Committee on Access to Information, Privacy and Ethics tabled in the House of Commons a report entitled “Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act“.

The statutory review of Canada’s federal privacy legislation has been underway for a year, and the Report addresses many of the challenging issues raised by the development of new technologies for the use and dissemination of information. The recommendations in the Committee’s Report are also heavily influenced by the direction set in the European Union General Data Protection Regulation, (“GDPR”) which comes into force this year.

The Committee’s Report makes 19 recommendations to update the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and to take other measures in respect of individuals’ privacy  in their relation with private sector organizations.

An overriding theme and key recommendation is to make privacy by design a central tenet of PIPEDA.  “Privacy by design” is meant to ensure that privacy considerations are taken into account at all stages of development, including the design, marketing and retirement of a product. The Report recommends the inclusion of the seven foundational privacy by design principles in PIPEDA.

The Committee also recommends amending PIPEDA to provide the Privacy Commissioner of Canada with enforcement powers as well as broad audit powers, including the ability to choose which complaints to investigate.

The other recommendations of the Committee include:

  • ensure that consent remains the core element of the privacy regime, while enhancing and clarifying consent by additional means, when possible or necessary;
  • explicitly provide for opt-in consent as the default for any use of personal information for secondary purposes, with a view to also implementing a default opt-in system regardless of purpose;
  • consider implementing measures to improve algorithmic transparency;
  • study the issue of revocation of consent in order to clarify the form of revocation of consent required and its legal and practical implications;
  • modernize the Regulations Specifying Publicly Available Information in order to take into account situations in which individuals post personal information on a public website and in order to make the Regulations technology-neutral;
  • consider amending PIPEDA in order to clarify the terms under which personal information can be used to satisfy legitimate business interests;
  • examine the best ways of protecting depersonalized data;
  • consider implementing specific rules of consent for minors, as well as regulations governing the collection, use and disclosure of minors’ personal information;
  • amend PIPEDA to provide for a right to data portability;
  • consider including in PIPEDA a framework for a right to erasure based on the model developed by the European Union (EU) that would, at a minimum, include a right for young people to have information posted online, either by themselves or through an organization, taken down;
  • consider including a framework for the right to de-indexing in PIPEDA and that this right be expressly recognized in the case of personal information posted online by individuals when they were minors;
  • consider amending PIPEDA to strengthen and clarify organizations’ obligations with respect to the destruction of personal information; and
  • amend PIPEDA to replace the term “fraud” with “financial crime” (and propose a definition for that term).

There are additional recommendations focused on Canada working  with its EU counterparts to determine what would constitute adequacy status for PIPEDA in the context of the GDPR, and making appropriate changes to PIPEDA to permit the transfer of personal information between the EU and Canada.

Members of the firm’s Cybersecurity, Privacy and Data Management Group are reviewing the Report and future posts will contain more in-depth analysis of specific recommendations.

Department of Finance Releases Consultation Paper on Canada’s Anti-Money Laundering and Anti-Terrorist Financing Regime

Posted in Cybersecurity, Financial, FinTech
Ana BadourKirsten ThompsonDilara Alpli


The Department of Finance Canada released a consultation paper (the “Paper”) on reviewing Canada’s anti-money laundering (“AML”) and anti-terrorist financing (“ATF”) regime on February 7, 2018. Comments on the Paper are due April 30, 2018.  This Paper comes following the recent 2016 Financial Action Task Force (FATF) mutual evaluation report for Canada which generally stated that Canada had a strong AML/ ATF regime but identified certain gaps in the regime.

The Paper contemplates the potential extension of obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (the “PCMLTFA”) and its regulations (the “Regulations”) to several new sectors and activities within financial services. The Paper also considers how to better achieve information sharing, and puts forward for consultation certain administrative and technical measures intended to modernize and improve the AML/ATF regime.

Addressing Legislative and Regulatory Gaps: Expanding the Scope of PCMLTFA Obligations

New Entities Proposed to be Subject to the PCMLTFA

The Paper contemplates expanding the scope of PCMLTFA obligations to a number of additional entities:

  • White Label Automated Teller Machines (“WLATMs”): The Paper contemplates including this sector in Canada’s AML/ATF regime as WLATMs can generally be owned and operated by any person or entity, thereby posing money laundering and terrorist financing risk.
  • Pari-Mutuel Betting and Horse Racing: The Paper notes this sector presents similar money laundering vulnerabilities as casinos that are regulated under the PCMLTFA and therefore contemplates subjecting this sector to the regime.
  • Real Estate Sector and Non-Federally Regulated Mortgage Lenders: The Paper recommends expanding the scope of the PCMLTFA to mortgage insurers, land registries and title insurance companies, especially to the extent such entities are engaged in high-risk activities including assisting or performing the purchase or sale of properties and facilitating access to financial institutions, mortgages and loans. The Paper also emphasizes the money laundering risk inherent in mortgages and complex loan schemes and acknowledges the fragmented nature of obligations currently applicable to non-federally regulated mortgage lenders. To address these risks, the Paper contemplates a consolidation of obligations by the PCMLTFA to mortgage lenders including mortgage finance firms, real estate investment trusts, mutual fund trusts, mortgage investment corporations, syndicated mortgages and individuals acting as private lenders.
  • Non Transactional Activities of Designated Non-Financial Businesses and Professions (“DNFBPs”): The Paper classifies as DNFBPs “accountants and accounting firms, real estate brokers, sales representatives, real estate developers, casinos, dealers in precious metals and stones and British Columbia notaries public and notary Corporations”. While the PCMLTFA regulates financial activities of DNFBPs, the Paper notes DNFBPs engage in other high-risk activities, including the management of client assets and the creation, operation and management of legal arrangements.
  • Company Service Providers: The Paper recognizes that service providers may be used to facilitate the misuse of corporations for money laundering and terrorist financing. It therefore contemplates that PCMLTFA obligations should extend to service providers engaged for the purposes of business formation and management, acting as a director or shareholder and completing corporate filings for a company. In particular, the Paper emphasizes the high degree of money laundering and terrorist financing risk posed by legal professionals who perform financial transactions on behalf of clients and thereby act as gatekeepers to the financial system. The Paper recommends subjecting lawyers, within constitutional boundaries, to the AML/ATF framework.
  • Finance, Lease and Factoring Companies: The Paper identifies that various means of repayment accepted by finance, lease and factoring companies can facilitate the laundering of proceeds. In response, the Paper contemplates imposing PCMLTFA obligations upon entities of all sizes operating in these sectors.
  • Armoured Cars: Consistent with the United States, the Paper contemplates subjecting this sector to the PCMLTFA to mitigate the risk associated with the anonymous movement of bulk cash.
  • High-Value Goods Dealers: The Paper contemplates including these dealers in the regime as a result of the risk stemming from the ease of storing value and laundering proceeds of crime in luxury goods.
  • Jewellery Auction Houses: The Paper contemplates subjecting this sector to the PCMLTFA as it presents similar money laundering risks to dealers in precious metals and stones which are subject to the regime.

Beneficial Ownership

The Paper recognizes the importance of ensuring corporate ownership transparency to prevent the use of complex corporate vehicles for money laundering and terrorist financing. Presently, only four reporting entity sectors – financial entities, securities dealers, money service businesses and life insurance companies – are obliged to collect beneficial ownership information on corporations or other complex legal entities. The Paper notes the difficulty of accessing beneficial ownership information in Canada. In response, the Paper seeks input on ways to improve corporate ownership transparency and timely access to beneficial ownership information.The Paper also seeks views on risks associated with legal entities that are not corporations, such as partnerships and trusts.

The Paper references the 2017 federal budget which announced that the Government of Canada is working to establish a national strategy to enhance the transparency of legal arrangements and strengthen the availability of beneficial ownership information. In December 2017, Canada’s Finance Ministers agreed to pursue legislative amendments to corporate statutes at federal, provincial and territorial levels. The amendments are intended to come into force by July 2019 and are designed to ensure corporations maintain appropriate beneficial ownership information available to relevant authorities and to eliminate usage of bearer shares and bearer share warrants and options.

Structuring of Transactions

The Paper identifies as a potential deficiency the current lack of a prohibition against arranging business models and transactions to avoid triggering reporting requirements under the PCMLTFA. Therefore, the Paper proposes implementing an explicit prohibition on structuring of transactions to avoid reporting requirements and the creation of a criminal offence for breach of such prohibition.

Politically Exposed Persons (“PEPs”) and Head of International Organizations (“HIOs”)

As a result of holding influential positions, PEPs and HIOs are especially vulnerable to corruption and money laundering risk. Only four reporting entity sectors – financial entities, securities dealers, money service businesses and life insurance companies – are presently subject to obligations to identify PEPs and HIOs in certain situations.  The Paper proposes extending the requirement to make PEP and HIO determinations to a broader set of regulated sectors.

The Paper also recommends adding more precision to the list of individuals and entities covered by the definition of PEP, including for example First Nation Chiefs, and broadening the definition of HIO to include the heads of certain international organizations not established by governments but that may hold considerable influence, such as the International Olympic Committee (IOC) and the Fédération Internationale de Football Association (FIFA).

Enhancing Information Sharing

The Paper emphasizes that information sharing, both within the private sector and between the public and private sectors, is critical to detect and deter money laundering and terrorist financing. The Paper makes several recommendations to improve information sharing, including:

  • Broadening Disclosure of Financial Intelligence Information

The Paper notes that currently the Financial Transactions and Reports Analysis Centre of Canada (“FINTRAC”) is authorized to disclose certain information to Canadian law enforcement agencies, the Canada Border Services Agency, the Canada Revenue Agency and the Canadian Security Intelligence Service. The Paper proposes to expand FINTRAC’s authority to disclose “financial intelligence” to additional recipients, namely, the Competition Bureau (to assist combating “mass marketing fraud”) and Revenu Québec (to aid Revenu Québec in combatting tax fraud).

  • Information Sharing with the Private Sector

The Paper notes that the federal Personal Information Protection and Electronic Documents Act (PIPEDA) protects personal information collected, used and disclosed by private sector organizations in the course of their commercial activities. The main mechanisms used to empower individuals to control their own information are knowledge and consent. In certain circumstances, however, PIPEDA allows for the disclosure of certain personal information without either knowledge or consent (for instance, in cases of suspected fraud). However, the language of PIPEDA that permits such disclosures is vague, and many organizations decline to rely on this PIPEDA exemption because they fear civil or regulatory liability. The Paper calls for “circumstances and protocols surrounding the effective and appropriate exchange of information” not only between private sector organizations and government institutions but also between private sector organizations.

PIPEDA is the federal private-sector privacy legislation. However, three Canadian provinces also have private-sector privacy legislation (British Columbia, Alberta and Québec) which applies, generally speaking, to provincially-regulated businesses and businesses operating wholly within provincial borders. The proposed expansion of the application of the PCMLTFA to new entities may capture organizations subject to provincial privacy legislation, an area not specifically addressed by the Paper.

  • Enhancing Information Sharing on Methods and Trends of Money Laundering and Terrorist Financing

To support partners in AML/ATF related investigation and prosecution, the Paper advocates for more effective information sharing both within government and with the private sector on methods, trends and transactions related to money laundering and terrorist financing. To achieve this, the Paper encourages collaboration between reporting entities, FINTRAC, national security agencies and law enforcement.

  • Privacy Review of the PCMLTFA

The Privacy Commissioner is granted the authority to review the personal information handling practices of federal departments and agencies; under the Privacy Act, FINTRAC is to be reviewed every two years. The Paper proposes that such reviews be conducted every four years instead.

Strengthening Intelligence Capacity and Enforcement

To improve financial intelligence in a rapidly evolving environment, the Paper makes the following recommendations that are grounded in international policy trends.

  • Electronic Funds Transfers (“EFTs”)

The Paper notes that EFTs passing through Canadian financial institutions where Canada is not the originating nor recipient source are not currently subject to reporting requirements under the PCMLTFA. The Paper contemplates subjecting non-client initiated EFTs and other types of transfers that relate to new and evolving payment methods (such as letters of credit, precious metals and securities) to reporting requirements under the regime.

  • Bulk Cash

The Paper recognizes the connection between possessing bulk cash and involvement in criminal activity. The Paper queries: (i) whether a limit should exist on the amount of bulk cash permitted to be carried by a person in Canada in the absence of a legitimate reason; and (ii) whether Canada should establish a registry for businesses dealing in high volumes of cash and whether a limit should be imposed on the amount of cash Canadian businesses could accept and/or report on.

  • Geographic Targeting Orders

The Paper suggests that geographic targeting orders, imposing specific obligations in respect of certain transactions in higher-risk geographic areas, may improve financial intelligence on money laundering and terrorist financing activities. The imposition of such orders, as currently used in the United States, would target popular destinations for transactions in high-value goods, real estate and bulk cash.

  • Border Enforcement – Definition of “Monetary Instrument”

The Paper notes that the PCMLTFA currently requires reporting by persons and entities importing or exporting currency or “monetary instruments” of $10,000 or more. The Paper suggests that the existing definition of “monetary instrument”, which includes stocks, bonds, bank drafts, treasury bills, promissory notes, endorsed and travellers’ cheques and money orders, may be too narrow. The Paper contemplates expanding the definition to include, among others, prepaid payment products.

Modernizing the Framework and its Supervision

The Paper raises the following considerations in pursuit of modernizing and effectively managing the AML/ATF regime.

  • Addressing De-Risking of Money Services Businesses (“MSBs”)

The Paper recognizes that, consistent with a global trend, certain MSBs in Canada have been facing challenges in obtaining and/or maintaining access to banking services as a result of “de-risking” (which the Paper defines as “the practice of financial institutions (or other businesses) exiting relationships with and closing the accounts of clients, either individuals or institutions, because the financial institution perceives the client to be high-risk.”).

The Paper emphasizes that “reporting entities are expected to manage (but not necessarily eliminate) their exposure by taking a risk-based approach with respect to their clients.” and that such “assessment is expected to take place on a case-by-case basis and not impact an entire industry.”  De-risking of the MSB industry as a whole can have significant impacts as it affects the ability of the industry to operate and can result in MSBs using alternate banking channels which are less accessible to regulators. These comments echo similar comments made in the Competition Bureau’s Fintech report.

  • Strengthening Registration of MSBs

The Paper notes that registration procedures for MSBs could be improved to strengthen the integrity of the MSB registry and MSBs operating in Canada, including for example by expanding the list of offences that would make an applicant ineligible for registration, and by providing for the option to suspend the registration of a MSB on a discretionary basis when the owners/operators of the MSB are subject to criminal court proceedings.

  • Enhancing and Strengthening Identification Methods

The Paper notes that recent amendments to the Regulations have provided further flexibility in methods that can be used to ascertain identity. However, given the increasing availability of reliable and effective digital identification methods, such as those leveraging blockchain and biometrics (including facial recognition), the Paper recommends that Regulations continue to remain flexible and progress towards a principles-based approach that facilitates risk-based approaches to verifying identity while leveraging technology solutions (including “digital ID” solutions) to the extent possible.

  • Regulatory Sandboxes (Exemptive Relief and Administrative Forbearance)

The Paper notes the establishment of regulatory sandboxes, both in various foreign jurisdictions and in Canada in the securities context by the Canadian Securities Administrators, and notes the potential for such approach to foster innovation in Canadian financial services. Granting flexibility to such entities to conduct regulatory pilots (by way of exemptive relief and/ or administrative forbearance), while protecting the integrity of the AML/ATF regime, could facilitate greater innovation, including the greater use of RegTech solutions.  The Paper however notes that careful attention should be paid to considerations surrounding the approval of any such regulatory pilots.

  • Whistleblowing

The Paper seeks views on whether the whistleblowing framework in the PCMLTFA should be strengthened, in particular with respect to issues related to MSBs, ID methods, and oversight.

Administrative and Technical Considerations

The Paper puts forward the following administrative and technical considerations to improve the operation of the AML/ATF regime.

  • Public Naming of Administrative Monetary Penalty (“AMP”) Recipients

The Paper recognizes that public naming of an AMP recipient can serve as a highly effective deterrent in furtherance of AML/ATF. Nevertheless, the Paper emphasizes that prior to FINTRAC making public AMP-related information, regard should be had to circumstances in which it would be inappropriate to name an AMP recipient, for example, where it may jeopardize the stability of Canada’s financial system.

The Paper also highlights a limitation of public naming as a means of deterrence as FINTRAC is not permitted to disclose AMP-related information until all proceedings with respect to a violation, including appeals, have concluded. This allows considerable time to elapse between the occurrence of the violation and public disclosure of the violation, and may incentivize prolonged litigation.

  • Confidentiality in Court Proceedings

The Paper reinforces that the purpose behind granting confidentiality orders in AMP appeal procedures is to avoid disclosure of sensitive financial intelligence. These orders should not be granted simply to protect any information in respect of a reporting entity.

  • Calculation of AMPs

In response to criticism (in particular the decision of the Federal Court of Appeal in Kabul Farms Inc. v Canada) that the formula to calculate AMP is vague and lacks transparency, the Paper recommends incorporating a formula into the Regulations specifying how AMPs should be calculated. Any such formula should allow for consideration of the specific harm caused by the violation in each case.

  • Clarifying the “Travel Rule” on Electronic Funds Transfer (“EFT”)

The Paper suggests the “travel rule”, which provides that every reporting entity include with the EFT certain prescribed information and that they take reasonable measures to ensure that any transfer that it receives includes such  information, be clarified.  Currently, certain financial intermediaries are not passing along the originating client’s information and instead treating the originating financial institution or another financial institution as the client who requested the EFT.

  • Evaluating Correspondent Relationships

The Paper identifies as a potential deficiency that, upon establishing a correspondent banking relationship, the PCMLTFA presently only requires that financial institutions conduct an initial evaluation of such relationship. The Paper suggests that this requirement be made consistent with international standards that require: (i) financial institutions to evaluate such relationships on a continuous basis; and (ii) upon entering such a relationship, correspondent entities are required to identify and take reasonable measures to verify the identity of beneficial owners of a respondent institution.

  • Establishing a Uniform Reporting Schedule

To reduce regulatory burden and complexity, the Paper recommends the creation of a uniform reporting schedule to encompass all information required to be reported upon by reporting entities.

  • Eliminating the Alternative to Large Cash Transaction Reports

As a result of low adoption, the Paper recommends the elimination of the Alternate Large Cash Transaction Record.


The Paper contains a wide-ranging set of potential measures that, should they be implemented, could result in a significantly expanded AML/ ATF regime in Canada.  In addition to the longer-ranging potential changes set out in the Paper, in the nearer term, amendments to the Regulations are anticipated to be released setting out, among other things, additional obligations relating to foreign MSBs operating in Canada, prepaid cards and virtual currencies.

Budget 2018: Financial Institutions Update

Posted in Financial, Open Banking
Ana BadourKirsten ThompsonNancy Carroll

The 2018 federal budget (the “Budget”) announced a number of measures directed to the financial services sector, including plans to modernize the deposit insurance framework, to implement a resolution framework for Canada’s systemically important financial market infrastructures (“FMIs”), to undertake a review of open banking, to introduce legislative amendments to implement a new framework for the oversight of retail payments and a review of the Canadian Payments Act, to modernize the financial sector framework and to introduce legislation broadening the powers of the Financial Consumer Agency of Canada (“FCAC”).

Deposit Insurance Review

Consistent with last year’s budget, the Government announced plans to introduce amendments to the relevant legislation to update and modernize the deposit insurance framework in Canada, including by modernizing the scope of deposit insurance coverage to better reflect products currently offered, to address trust deposits, and generally to better protect depositors and support financial stability.

Oversight of Financial Market Infrastructures

Again, consistent with last year’s budget, the Government announced that it intended to introduce legislative amendments to implement a resolution framework for Canada’s systemically important FMIs, with the goals of maintaining the availability of critical services provided by FMIs, promoting financial stability and minimizing potential public exposure to losses. Examples of candidates for potential inclusion in the resolution framework include CLS Bank, Swap Clear and the Large Value Transfer System (LVTS).

Open Banking

“Open Banking” refers to an emerging financial services business model that focuses on the portability and open availability of customer data, including transactional information.  The open banking model has been mandated in the European Union and the United Kingdom, and is being reviewed in Australia. The Canadian Government first noted the potential benefits of reviewing the merits of “open banking” in Canada in the second consultation paper respecting the review of the federal financial sector framework which was released in August 2017.  More recently, the Competition Bureau has expressed support for open banking in its final report on its market study into technology-led innovation in the Canadian Fintech sector.

The Budget confirms that the Government proposes to undertake a formal review of the merits of open banking in Canada.

Payments Reform

The Government confirmed that it intends to introduce legislative amendments to implement a new framework for the oversight of retail payments following the recent consultation process triggered by the consultation paper “A New Retail Payments Oversight Framework”  issued last July.

In addition, the Government announced its intent to undertake a review of the Canadian Payments Act to ensure that Payments Canada is well positioned to continue to meet its public policy objectives.  The Government noted these consultation processes will include consultation with the provinces and territories.

Financial Sector Framework Review

In connection with the current 2019 Bank Act review, the Budget announces intentions to introduce legislative amendments to implement targeted proposals resulting from the recent review of the federal financial sector framework, including amendments providing greater flexibility for financial institutions to undertake Fintech activities (expanding the business of banking), providing prudentially regulated deposit-taking institutions (such as credit unions) with the right to use generic banking terms (“bank”, “banking”), and permitting life and health insurance companies to make long term investments in infrastructure.

Consumer Protection

The Budget notes that the Government has undertaken over the last year a comprehensive review of the federal consumer protection framework, and proposes to introduce legislation expanding the FCAC’s tools and mandates, to be implemented through legislation to be developed in consultation with relevant stakeholders, including the provinces and territories.

Anti-Money Laundering

The Budget proposes to introduce amendments to income tax reporting requirements to provide additional beneficial ownership information for trusts and to amend the Canada Business Corporations Act to increase the availability of beneficial ownership information for corporations.

In addition, the Budget announces intentions to propose amendments to modernize legislation requiring the declaration of currency and monetary instruments.


As the Government takes steps to implement the various initiatives outlined in this Budget, financial institutions can expect a number of important regulatory and legislative changes to follow in the near future.

For a discussion of the tax measures in the Budget, please see McCarthy Tétrault’s Budget 2018 Commentary.

IIROC Provides Additional Guidance on Proactive Management of Cyber-related Risks

Posted in Cybersecurity, Financial, Regulatory Compliance
Shane C. D'Souza

On January 18, 2018, the Investment Industry Regulatory Organization of Canada (IIROC) released its Compliance Priorities Report for 2017/2018, identifying cybersecurity as a “high priority” issue that IIROC dealer members should address to improve investor protection and foster market integrity. The report also provides specific guidance on initiatives that dealers may undertake in 2018-19 to proactively manage cyber-related risks.

IIROC’s 2016/2017 Feedback

In 2017, IIROC followed up with small and mid-sized dealers to discuss how they had considered IIROC’s previous feedback that dealers should:

  • maintain “adequate” policies and procedures to safeguard the confidentiality, integrity and availability of the dealer’s data (including clients’ personal information);
  • conduct “regular due-diligence” of third-party IT vendors and service providers to evaluate the adequacy of safeguards against cybersecurity incidents;
  • use encryption and strong passwords to protect “data and sensitive information” stored on all computers, storage servers, web server portals and mobile electronic devices;
  • fix identified security vulnerabilities on a “timely basis”;
  • “develop a cybersecurity incident-response plan that includes: a description of the different types of possible incidents; procedures to stop an incident and eliminate the threat; procedures for recovery of data; investigation of an incident; and incident notification and reporting obligations”.

IIROC Guidance for 2018/19

Building on the foregoing recommendations, IIROC has recommended that dealers:

  • conduct “table-top simulations” of cyber-incident scenarios that may occur to help participants develop and improve their cyber-incident response plans; and
  • complete another self-assessment survey to assess the dealer’s and overall industry’s preparedness in response to cyber-incident risks.

IIROC will continue its partnership with the Investment Industry Association of Canada (IIAC) to support and provide best-practice guidance to improve dealers’ cybersecurity preparedness, and directed dealers to IIAC’s Due Diligence Procedures on Data Security by Third-Party Service Providers publication dated July 2017. The IIAC also has a Cybersecurity Guidebook dated June 2015.

The members of McCarthy Tetrault’s Cybersecurity, Privacy and Data Management Group regularly assist organizations in meeting their compliance obligations and managing cyber-risk. For more information, please contact  the author.

UK Financial Conduct Authority Proposes Global Fintech Regulatory Sandbox

Posted in FinTech, Regulatory Compliance
Ana BadourArie van Wijngaarden

On February 14, 2018, the United Kingdom Financial Conduct Authority (FCA) published a proposal for a global regulatory sandbox.  The goal of a regulatory sandbox is to encourage innovation by allowing carefully-selected firms to test their concepts on a controlled subset of consumers without triggering full regulatory requirements at the outset.  This can be particularly useful to Fintech start-ups that often face a complex regulatory structure.

The concept of a regulatory sandbox has been popular to date in the UK.  Since the FCA launched the first regulatory sandbox in 2016, more than 60 firms have tested their innovations.  Over 40% of the first cohort of sandbox firms received investment funding during or following sandbox testing.  Other countries, including  Canada (with respect to securities regulation) Australia, Hong Kong, Singapore and the Netherlands have also created their own sandboxes.

Currently, the FCA has nine different bilateral Fintech cooperation agreements with regulators in other jurisdictions (including an agreement with the Ontario Securities Commission).  A global sandbox could be a useful one stop shop and more efficient way for Fintechs to scale globally.

Designing a Global Sandbox

A global sandbox would be a much larger regulatory “safe-space” in which Fintechs could test their ideas in multiple jurisdictions. Participating jurisdictions would have to agree upon a common protocol for firms wanting to enter the sandbox, as well as common supports for start-ups with global ambitions.

The proposed global sandbox would be focused on cross-jurisdictional issues, such as Anti-Money Laundering (AML)/ Know Your Customer (KYC) requirements.  Testing in a global sandbox could involve two or more jurisdictions at the same time, meaning that multiple regulators would be giving their feedback.  A global sandbox could bring together the diverse perspectives of multiple regulators together on cross-border issues and allow for common reporting and policy coordination.

The concept of a global sandbox could benefit entities wishing to participate in such sandbox in a number of manners.  First, it could provide those entities with access to a larger customer base, a concept especially attractive for businesses based in smaller markets such as Canada.  This would allow such businesses to more quickly achieve economies of scale and network effects.  Second, as a related point, certain Fintech business models can be very data-intensive (such as businesses focused on credit analysis or fraud analysis).  Generating significant amounts of data with a customer base in one country can be challenging, and a global sandbox could provide the opportunity to create and leverage larger (and therefore more helpful) data sets.   Third, entities may spend significant resources undergoing the application process to participate in a sandbox in any single jurisdiction, and would therefore benefit from a more efficient coordinated process across jurisdictions.

A global sandbox could also potentially help Fintechs test their concepts in jurisdictions where sandboxes have not progressed as quickly as the UK, such as continental Europe (potentially limiting the impact of Brexit on the UK Fintech market) and the United States.  A global sandbox could also provide benefit to countries who choose to participate, as they would gain access to best practices learned from the UK’s sandbox experience.

Implications for Canada

A global Fintech  regulatory sandbox would likely be attractive to Canadian Fintechs seeking to expand globally. The UK has been a market of interest for a Canadian Fintechs.   Several Canadian Fintechs have been part of  trade missions to the UK  and, as noted above, the FCA and the Ontario Securities Commission (OSC) previously entered into a  Fintech cooperation agreement.  A global sandbox could make cooperation with the UK even easier.

However, a global sandbox remains a challenging proposition.  Coordinating regulatory policy between different jurisdictions with different interests and regulatory cultures can be very difficult. For this reason, the FCA has acknowledged that “a full multilateral sandbox, which allows concurrent testing and launch across multiple jurisdictions, is an ambitious goal”.  While ambitious, the concept is nonetheless an attractive one for many stakeholders.

For more information about our firm’s Fintech expertise, please see our Fintech group’s page.