Canada: Proposed Expansion Of Bank Fintech Powers: Key Issues And Next Steps

Last Updated: June 12 2018
Article by Koker Christensen, Alex Cameron and Sarah Chouinard

Recent proposed amendments to the Bank Act that would expand the power of banks and other financial institutions to engage in fintech activities have faced a number of challenges before the Senate Committee on Banking Trade and Commerce. The proposed amendments were considered at recent hearings held by the Committee at which concerns were raised that engage policy issues relating to fintech, open banking, and control and protection of customer data. This Bulletin summarizes the key issues raised at the hearings and discusses how these relate to the broader policy issues at hand.

Proposed Amendments

The Budget Implementation Act, 2018, No. 1 (the "Budget Bill") introduced earlier this year proposes the following amendments to the Bank Act, the Trust and Loans Companies Act and the Insurance Companies Act:

  • Broad powers for financial institutions to refer customers to other entities.
  • Broad powers for financial institutions to collect, manipulate and transmit information, as well as engage in a broad range of technology-related activities without regulatory approval.
  • New powers for financial institutions to commercialize activities developed in-house and provide them to third parties.
  • New powers for financial institutions to provide identification, verification and authentication services.
  • New powers for financial institutions to invest in entities a "majority" of whose activities consist of financial services activities that a financial institution is permitted to carry on.

There is some debate about the extent to which banks already have some of these powers on the basis that they fall within the "business of banking". As well, it is envisioned that these new and expanded powers will be subject to regulations which have not yet been issued. Nevertheless, these amendments are a significant development and, if implemented, would give banks explicit powers to engage in a wide range of innovative technology related activities.1 

These proposed amendments were welcomed by the banking industry, which was generally of the view that the current provisions of the Bank Act inhibited innovation and were out of step with technological developments. In a response to the consultation paper, the Canadian Bankers Association (CBA) stated that the Bank Act in its current state imposes onerous obstacles to partnering with fintechs, which are a remnant of a time when the now strong link between technology and banking activities was far less clear. In recent years, innovative new technologies have become integral to nearly every industry, and these legislative barriers are hindering the ability of banks to take full advantage of the products that fintechs can offer.2

Open Banking

The proposed amendments are consistent with a move toward "open-banking", which would see consumers have the right to choose to share their own banking information with a wide range of other financial services providers and other businesses.

The Department of Finance issued a consultation paper last year entitled "Potential Policy Measures to Support a Strong and Growing Economy: Positioning Canada's Financial Sector for the Future" that sought input on, among other matters, the merits of open banking. The paper described the benefits of open banking as making it easier for consumers to interact with financial service providers, and increasing competition. At the same time, the consultation paper noted the importance of protecting consumer's security and privacy.

In a response to the consultation paper, the CBA noted that protection of consumer privacy will be a central component of any system which allows third party access to financial data. The CBA stated that both verifying customer instructions when third parties request access to information, and ensuring the legitimacy and capacity of the third party to handle the information would be considered before granting access. Similarly, the CBA wrote that ensuring customers comprehend the scope and risks associated with data sharing will be paramount to obtaining informed consent.3

In December 2017, the Competition Bureau published a market study on technological innovation and the financial services sector. One of the recommendations therein is that "Policymakers should embrace broader 'open' access to systems and data through application programming interfaces. With more open access to consumers' data (obtained through informed consent and under an appropriate risk-management framework), fintech can help consumers overcome their inability or unwillingness to shop around by paving the way for the development of bespoke price-comparison tools, and other applications that facilitate competitive switching."

The Competition Bureau also recommended that industry participants and regulators should explore the potential for digital identification to facilitate client identification processes, which is also reflected in the proposed amendments to federal financial institutions legislation.

The Senate Committee Hearings

In response to the amendments proposed in the Budget Bill, the Senate Committee on Banking Trade and Commerce recently conducted hearings with a range of witnesses and stakeholders to discuss the proposed amendments, cybersecurity concerns, and other implications. 

Privacy and Cybersecurity

The Committee sought assurances that the changes will not allow banks to transfer sensitive banking records to third parties in ways that are not clearly understood and agreed to by their customers. Bank officials responded that customer consent is required and that information sharing contracts with third parties have strong privacy and security safeguards that allow banks to audit how the outside companies use customer data.

The Committee was also concerned about cybersecurity, and the potential for data breaches in entities to whom the banks transfer information both domestically and internationally. In drafting the amendments, the government has identified a goal of creating a new cybersecurity strategy, and making Canada a global leader in this regard. Bank officials called the Committee's attention to the proposal to create a centralized hub for sharing best practices and information concerning cybersecurity which would apply to all important financial sectors. Bank officials argued that this will help to consolidate cybersecurity expertise across the federal government, thereby increasing consumer protection. Similarly, they argued that this consolidation would lead to a unified approach to dealing with foreign entities and associated threats. Officials clarified that the resulting sharing of information to protect against cybersecurity risks will not entail central storage of sensitive data.

The Privacy Commissioner of Canada (who reportedly had not been consulted about the proposed amendments), told the Committee that based on available information, the proposed provisions failed to strike the right balance between fostering commercial innovation and protecting consumer privacy. The Commissioner expressed the view that fintechs are generally required to obtain valid, meaningful express consent from customers before dealing with their financial information. However, the Commissioner expressed the concern that problems with the current consent model will inhibit adequate protection and that he had reason to believe that financial institutions and fintech organizations intended to proceed under the proposed amendments without obtaining customers' express consent.

The Commissioner stated that if the financial sector actually obtained express, informed consent and privacy issues were addressed in the regulations that will be implemented under the Budget Bill, reasonable privacy protection could be achieved, but that he lacks legal authority to compel compliance with privacy law. He suggested that giving his office the authority to require the financial sector to obtain express consent would be the most direct way to rebalance the legislation (although currently the Commissioner has the power to initiate investigations and to seek enforcement through the Federal Court).

Questions of privacy and cybersecurity are plainly among the key issues that the Committee is grappling with. However, the Commissioner's submissions to the Committee must also be read in a broader context. First, the Commissioner's stated concerns regarding the efficacy of current approaches to consent are not specific to the financial industry or fintech. Indeed, commencing in 2016, the Commissioner undertook a sweeping review of the concept of consent across all industries and activities regulated by PIPEDA: see Consultation on consent under the Personal Information Protection and Electronic Documents Act. This consultation recently led the Commissioner to issue a new guidance document, Guidelines for Obtaining Meaningful Consent, which will be applied by the Commissioner as of January 1, 2019. The Commissioner simultaneously issued a second guidance document, Guidance on Inappropriate Data Practices: Interpretation and Application of Subsection 5(3) to be applied on July 1, 2018. These guidance documents were published two days after the Commissioner appeared before the Committee and are discussed in the following bulletin: Privacy Commissioner Issues Key Guidelines for Consent and Inappropriate Data Practices.

Second, the Commissioner's call for the power to compel the financial sector to obtain express consent is the latest example of the Commissioner's broader push for the power to make binding orders to enforce compliance with PIPEDA. This question is not unique to fintech or the financial industry. Earlier in 2018, the Standing Committee on Access to Information Privacy and Ethics issued a sweeping set of recommendations for amendments to PIPEDA: Towards Privacy by design: Review of the Personal Information Protection and Electronic Documents Act, including that PIPEDA be amended to give the Commissioner enforcement powers, including the power to make orders and impose fines for non-compliance.

Following his submissions to the Committee, the Commissioner sent a follow-up letter to the Committee to request that PIPEDA be amended to include an additional requirement to obtain valid consent and that the Commissioner be given order making power. These changes were not limited to the financial sector, however. Consistent with the broader initiatives described above, the requested amendments to PIPEDA would be applicable to all organizations subject to that law and would therefore represent a sweeping change to PIPEDA and the ombuds model that has been in place under that statute for nearly two decades.

Insurance Business

Concerns were also raised during the hearings about whether the proposed amendments could allow banks to expand their activities in the insurance space. The Association of Mutual Insurance Companies (AMIC) told the committee that the Bank Act changes "open up a new line of business for banks" to sell customer data. The concern is that this would allow banks to conduct insurance activities, which is restricted under the Bank Act and the Insurance Business (Bank and Bank Holding Companies) Regulations. It was argued that the amendments would facilitate the transfer of banking data, to fintechs, who in turn can use the data to underwrite insurance products.

Committee members expressed concern that banks could further the sale of insurance through a relationship with a fintech by using either the referral power, or a reduction in an outsourcing cost. Bank officials responded that this would not be the case because the networking powers are subject to s. 416 of the Bank Act, which prohibits banks from undertaking the business of insurance except as permitted under the Bank Act. The CBA also assured the committee it was not the intention of the banks to attempt this.

The debate over the desirability of fintechs having access to bank data and using it for insurance purposes is related to the debate over the desirability of open banking. Some committee members expressed the view that there should be no complaints about fintechs partnering with banks and moving into the insurance market because it promotes more competition.

Looking Ahead

It remains to be seen whether any changes will be made to the proposed amendments to federal financial institutions legislation or PIPEDA. Regardless, issues relating to fintech, open banking, and  protection of customer data will undoubtedly continue to be at the forefront of financial sector policy for the foreseeable future.

Footnotes

1 Currently, FRFIs are permitted to engage in collection, manipulation and transmission of information which is primarily economic (in Canada), or to design, hold, manage or otherwise deal with data transmission devices or platforms which provide primarily financial or economic information only with the approval of the Minister of Finance.

2 Review of the Federal Financial Sector Framework (PDF); Submission to the Department of Finance Canada (29 September 2017), online:  Canadian Bankers Association, at page 6.

3 Ibid, at page 12.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Topics
 
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions