This series features insights on timely issues shaping the fintech industry, addressing critical subjects industry participants must consider in the areas of financial regulation, securities, commercialization of IT, AI, digital currencies, IP, data governance and privacy, tax, corporate finance, private equity, M&A and asset tracing.
In this Q3 2023 update, we look at some of the main trends in fintech that the Bennett Jones team noted as participants at this year's Money20/20 conference in Las Vegas, the largest global fintech event, including:
- open banking;
- AI; and
- digital ID.
In this issue, we also look at Canadian Securities Administrators (CSA) released Staff Notice 21-333, which elaborates on the CSA's interim approach to regulating value-referenced crypto assets.
There was significant talk among fintech companies on the U.S. Consumer Financial Protection Bureau (CFPB) proposal to introduce a Personal Financial Data Rights rule, which would accelerate the introduction of open banking in the U.S. by requiring financial institutions to share personal data with third parties such as fintech companies via APIs when directed to do so by the customer.
The U.S. would join Europe, the U.K., Australia, Singapore and other jurisdictions that have already introduced open banking. Canada remains behind peer jurisdictions in open banking, as we noted in our Q1 2023 update, and as David Dodge wrote in the Globe and Mail in June 2023 and as Matt Flynn discussed previously the National Post in 2019. The U.S. adoption could accelerate the adoption of open banking in Canada, but we do not yet have draft rules.
Not surprisingly, the use of AI as a tool to improve and accelerate Fintech offerings was a major theme of Money2020 this year. Equally unsurprising was the focus on privacy and safety when it comes to utilizing AI. The key takeaway? AI is not a one-size-fits-all, simple plug and play proposition. Organizations need to put some real thought into leveraging AI to balance productivity and profit with safety and accountability. For example:
- What data will the organization use with AI, and what data should it not?
- Is the use of a mass-market, large language model appropriate?
- What due diligence should be done in respect of AI vendors?
- Who will be tasked with reviewing the output of the AI?
- What records should be kept in respect of the organization's use of AI?
It's notable that one week after Money20/20 wrapped up for another year, U.S. President Joe Biden issued an executive order on "safe, secure, and trustworthy artificial intelligence", with a focus on new standards for AI safety and security and privacy, amongst other principles.
It's also notable that Canada's proposed Artificial Intelligence and Data Act (AIDA) remains—like the related proposed privacy Bill C-27, the Digital Charter Implementation Act, and the open banking file—sitting on the sidelines. For more information on the Canadian government's involvement in the AI industry, read our insights on the AIDA and its companion document and the Guide on the use of Generative AI for federal institutions.
This year we saw particular growth in new technologies to verify identity and protect against fraud. It has long been said that passwords are the "weakest link" and one of the most common causes of security breaches, as we highlighted previously in our tips for cybersecurity employee training.
As AI technology makes password hacking incrementally easier, companies such as Kelvin Zero are developing authentication systems that replace passwords with biometric passes.
Canadian Securities Administrators (CSA) Released Staff Notice 21-333
On October 5, 2023, the Canadian Securities Administrators (CSA) released Staff Notice 21-333, which elaborates on CSA's interim approach to regulating value-referenced crypto assets (VRCAs) as outlined in Staff Notice 21-332 released in February 2023.
Through SN 21-332, the CSA defined VRCAs as all crypto assets that are designed to maintain a stable value over time by referencing the value of a fiat currency or any other value or right, or combination thereof. As noted in our Q1 2023 Fintech report, the CSA also confirmed its view that VRCAs are generally considered to be securities, derivatives or both. SN 21-332 contemplated that on an interim basis, the CSA may permit crypto-asset trading platforms (CTPs) to allow their Canadian clients to continue trading certain VRCAs that seek to replicate the value of a single fiat currency where the issuer of the VRCA sets aside an adequate reserve of assets denominated in the fiat currency (fiat-backed crypto assets or FBCAs), subject to certain terms and conditions.
The recently released SN 21-333 provides further guidance on the CSA's interim approach and sets out the terms and conditions that registered CTPs and CTPs that provided a pre-registration undertaking (PRU) must follow if they wish to continue allowing Canadian clients to purchase or deposit VRCAs (SN 21-333 does not apply to VRCAs that are not FBCAs or to any new VRCAs that a CTP may wish to offer after the publication date of SN 21-332 (the CSA has outlined alternative regulatory approaches in respect of these instruments)). Among others, SN 21-333 sets forth the following key terms and conditions:
- The VRCA must reference, on a one-for-one basis, the value of a single fiat currency in either the Canadian dollar or the United States dollar.
- All of the assets that comprise the reserve of assets of a VRCA must (i) be measured at fair value (in accordance with Canadian GAAP for publicly accountable enterprises or U.S. GAAP at the end of each day), (ii) be held with a qualified custodian, apart from the assets of the issuer of the VRCA, and (iii) be for the benefit of the VRCA holder and not be encumbered or pledged as collateral at any time.
- The issuer of the VRCA must file an undertaking acceptable to the CSA whereby the issuer confirms that it will abide by and adhere to the specified terms and conditions, including increased public disclosure requirements.
In the wake of SN 21-333, all CTPs, whether registered or unregistered, that are in the business of allowing clients to either buy or deposit VRCAs should review their policies and procedures for compliance with the new interim terms and conditions. In particular, CSA has noted that if a registered CTP or a CTP that provided a PRU does not intend to allow clients to continue to buy or deposit VRCAs, the CSA expects the CTP will no longer allow clients to do so by December 29, 2023, and if a registered CTP or CTP that provided a PRU would like to continue allowing clients to buy or deposit VRCAs, the CTP should:
- contact its principal regulator as soon as possible to discuss the process for implementing the terms and conditions;
- by December 29, 2023, no longer allow clients to buy or deposit VRCAs that are not FBCAs that satisfy the required conditions; and
- by April 30, 2024, no longer allow clients to buy or deposit FBCAs that do not comply with the required terms and conditions.
As we noted in September 2023, the OSC is continuing to take enforcement efforts at offshore CTPs that are not registered in Canada.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.