Written By Matt Flynn, Simon Grant and Kwang Lim

As we highlighted in our last quarterly Fintech update in 2023, a new regulatory framework under the Retail Payments Activities Act (RPAA) will soon affect all retail payment service providers (PSPs) doing business in Canada.

PSPs will be able to register with the Bank of Canada from November 1 to 15, 2024, with compliance obligations to take effect in 2025.

The Bank of Canada recently released draft supervisory guidelines to help PSPs understand those compliance obligations (copies of which can be found on the Bank of Canada's website). The following drafts are open for public comment until May 21, 2024:

• operational risk and incident response;
• incident notification;
• safeguarding end-user funds; and
• notice of significant change or new activity.

Proposed Amendments to Public Crypto Asset Funds

On January 18, 2024, the Canadian Securities Administrators (the CSA) released a notice and request for comment concerning proposed amendments to National Instrument 81-102 Investment Funds and Companion Policy 81-102CP Investment Funds (the Proposed Amendments) pertaining to public investment funds that invest in crypto assets (Public Crypto Asset Funds).

The Proposed Amendments regarding NI 81-102 include:

• Alternative Mutual Fund: broadening the definition of "alternative mutual fund" to include mutual funds investing in crypto assets;
• Restrictions on Investing in Crypto Assets: permitting only alternative mutual funds and non-redeemable investment funds to buy, sell, hold or use crypto assets directly and limiting the types of crypto assets in which these funds can invest. Public Crypto Asset Funds would be prohibited from buying or holding non-fungible crypto assets;
• Prohibitions on Certain Transactions: prohibiting the use of crypto assets in securities lending, repurchase transactions and reverse repurchase transactions, wherein crypto assets are bought and subsequently sold at a specified price;
• Money Market Funds: clarifying that a money market fund cannot buy or hold crypto assets;
• Custodianship of Portfolio Assets: adding requirements applicable to custodians and sub-custodians that hold crypto assets on behalf of an investment fund (Crypto Custodians), including requirements that Crypto Custodians keep crypto assets in offline storage, maintain insurance regarding crypto assets, and obtain an annual report by a public accountant assessing the Crypto Custodian's internal management and security; and
• Sale of Securities of a Mutual Fund: permitting Public Crypto Asset Funds to accept crypto assets as subscription proceeds under certain conditions.

The Proposed Amendments regarding 81-102CP include:

• Crypto Assets: providing greater guidance on the definition of "crypto assets." Specifically, the definition will consider a crypto asset to include any digital representation of value that uses cryptography and distributed ledger technology, or a combination of similar technology, to create, verify, and secure transactions;
• Investing in Crypto Assets: clarifying that Public Crypto Asset Funds can acquire crypto assets from sources outside of recognized exchanges so long as the crypto assets meet certain requirements; and
• Custodian Standard of Care: providing direction on the standard of care for crypto custodians.

In publishing the Proposed Amendments, the CSA has opened a 90-day comment period to solicit feedback and comments, which terminates on April 17, 2024.

OSFI's Guideline On Technology and Cyber Risk Management

In Q1 2024, the Office of the Superintendent of Financial Institutions (OSFI) of Canada released its Guideline B-13 – Technology and Cyber Risk Management, which sets out OSFI’s requirements for the management of technology and cyber risk for federally regulated financial institutions (FRFIs).

This is important for Fintechs because the roster of FRFI’s under OSFI’s regulatory purview includes 400 financial institutions—including all banks (domestic and foreign) and insurance companies. If a Fintech offers a service to one or more FRFI’s and that service interacts with or otherwise impacts the FRFI’s technology assets or systems, it can expect the FRFI to pass relevant B-13 mandated obligations along to the Fintech—legal and operational. This will add risk and cost to the Fintech and will likely impact pricing and commercial terms around risk allocation including indemnities, limits of liability and insurance requirements, and the Fintech’s information security posture. To add to the fun, OSFI states Guideline B-13 should be considered along with existing OSFI guidance and tools including: the Corporate Governance Guideline, Guideline E‑21 (Operational Risk Management), the revised draft Guideline B‑10 (Third-Party Risk Management), the Technology and Cyber Security Incident Reporting Advisory and the Cyber Security Self-Assessment tool.

Lost yet? Bennett Jones is here to help you navigate the path forward.

Open Banking

On the open banking file, the Canadian federal government has promised framework legislation in its upcoming budget set for April 16, 2024. This publication, and indeed this author, has commented on Canada’s glacially slow pace in adopting open banking. When it does, will Canadian consumers themselves adapt to and adopt open banking? Time will tell, but at the very least, it will give Fintechs and consumers new ways to provide and receive financial services in Canada. And change is healthy.