Wealthy and ambitious Canada, home to the world’s ninth-largest economy,1 is poised for incredible innovation in the financial sector. Venture capital funding for fintech companies is booming, the AI ecosystem is well developed,2 and the COVID-19 pandemic spurred on increased demand for digital services and products.3 The government is eager to digitalize its services, strengthen the digital economy and bolster the country’s global competitiveness.
Meanwhile, the pandemic drove an increase in the severity of cybersecurity incidents and lent uncertainty to Canada’s economic outlook. The average cost of a data breach rose to CAD$6.75 million (approximately USD$5.40 million) per incident in 2020, up from CAD$6.35 million (approximately USD$5.06 million) in 2019.4 The Canadian government has been slow to respond to the evolving threat landscape, which could hinder its delicate post-pandemic economy recovery. The Canadian economy contracted by 5.4% in 2020, its worst economic performance on record,5 and the GDP is expected to plunge by a record 12% in the second quarter of 2021.6 The highly infectious Delta variant could cause further hits to economic growth, but overall financial stability remains strong.
The 2021 national digital agenda focuses on the digitalization of government services, innovation in payments and a potential central bank digital currency (CBDC). An updated data privacy act, introduced in November 2020, has stalled. Provincial governments have been especially progressive in their digitalization efforts. Ontario plans to introduce Canada’s first provincial data authority and a trustworthy AI framework, and provinces have flocked to introduce digital IDs and digitalize government services. At the national level, the Pan-Canadian Trust Framework has gone through alpha testing and when launched will positively impact Canada’s economy. A key challenge will be ensuring that further digital transformation does not exclude vulnerable populations, especially Indigenous and rural communities. Although digitalization has helped to ensure economic resilience amidst the pandemic, it has widened the country’s digital divide.7 Alongside increasing digitalization, Canadian regulators must also seek to bolster national cybersecurity measures and provide extra support for small and medium-sized entities.8
Financial Regulatory Authorities
The Bank of Canada is the central bank.
The Office of the Privacy Commissioner of Canada (OPC) is the primary data protection authority that supervises and guides individuals and businesses regarding protection of personal information.
The Office of the Superintendent of Financial Institutions (OSFI) is an independent agency reporting to the Minister of Finance that acts as the primary authority regulating financial institutions conducting business in Canada.
The Financial Consumer Agency of Canada (FCAC) is a federal regulatory agency that assists financial institutions with consumer protection compliance in relation to federal legislation and implementing regulations.
The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) is Canada’s financial intelligence agency that detects and prevents money laundering and terrorist financing.
The Canadian Securities Administrators (CSA) is an organization composed of Canada’s provincial securities regulators that facilitates effective regulation in the country’s capital markets.
Policy, Laws and Regulations
Final Report on Open Banking, 03 August 2021
The Advisory Committee on Open Banking issued its Final Report, which details recommendations for the implementation of a national open banking system. Per the report, three pillars must be established for open banking to begin operating:
- 1. “Common rules for open banking participants to replace the need for bilateral contracts and ensure consumers are protected;
- 2. An accreditation framework and process to allow third party service providers to participate in an open banking system; and
- 3. Technical specifications that allow for safe and efficient data transfer and serve the established policy objectives.”9
The Committee also lists six consumer outcomes that should underpin open banking:
- “Consumer data is protected
- Consumers are in control of their data
- Consumers receive access to a wider range of useful, competitive and consumer friendly financial services
- Consumers have reliable, consistent access to services
- Consumers have recourse when issues arise
- Consumers benefit from consistent consumer protection and market conduct standards”10
The Committee supports a speedy approach to the rollout of open banking, with an operational date of January 2023.
Central Bank Paper on the Positive Case for a CBDC, 20 July 2021
The Bank of Canada’s staff discussion paper The Positive Case for a CBDC states that a central bank digital currency is “probably necessary” to ensure a competitive digital economy. A CBDC could promote innovation and competition, and would be particularly valuable in “disciplining” the payments market. The authors note two main benefits per this argument: a CBDC could enable new markets and applications, as well as limit “abuses of market power” and avoid “coordination failures in payments and new markets such as for smart contracts.” The two potential scenarios that would motivate the issuance of a CBDC include significantly low national cash use and the widespread adoption of alternate digital currencies, the latter of which is unlikely.
In 2020, the central bank developed four business priorities per its digital transformation strategy, including “advancing work toward a central bank digital currency as a contingency.” The bank’s Annual Report 2020, released in April 2021, states that the introduction of a CBDC is not imminent but that it continues to monitor changes in the payments landscape.
Updated ISO 20022 Lynx Message Specifications, 19 July 2021
Payments Canada updated its ISO 20022 message specifications for Lynx, a new real-time gross settlement system as part of Payments Canada’s modernization initiative. “The updated specifications will allow Lynx participants to prepare their existing applications to leverage the value of the ISO 20022 messaging standard. This includes access to enhanced remittance data, support for global interoperability, and improved transparency. Vendors who support Canada’s payments ecosystem can use the published messages to update their applications and develop new services for Lynx participants and the wider ecosystem. The ISO 20022 messages for Lynx also support Canadian financial institutions preparing to meet SWIFT’s ISO 20022 migration date for cross-border payments, expected to roll out at the end of 2022.” Lynx will go live in 2021.
On 02 March 2021, Payments Canada announced that it had chosen Interac Corp. as the exchange solution provider for the Real-Time Rail (RTR), Canada’s upcoming real-time payments system. RTR will allow Canadians to initiate and receive payments within seconds, around the clock. It is expected to go live in 2022.
Retail Payments Activities Act Receives Royal Assent, 29 June 2021
Released as part of budget Bill C-30, the Retail Payments Activities Act (RPAA) establishes a new regulatory framework for retail payment activities, applicable to payment service providers (PSPs) whose place of business is in Canada and PSPs outside of Canada whose retail payment activities are directed at individuals or entities in the country. Retail payment activities are defined as payment functions, which involve:
- “The provision or maintenance of an account that, in relation to an electronic funds transfer, is held on behalf of one or more end users
- The holding of funds on behalf of an end user until they are withdrawn by the end user or transferred to another individual or entity
- The initiation of an electronic funds transfer at the request of an end user
- The authorization of an electronic funds transfer or the transmission, reception or facilitation of an instruction in relation to an electronic funds transfer
- The provision of clearing or settlement services”
The Act seeks to protect consumers, drive innovation and regulate disruptive technologies, and could be instrumental in helping fintech companies to compete with traditional banks. It requires that PSPs register with, submit an annual assessment fee to, and report to the Bank of Canada, which is responsible for oversight and monitoring trends in retail payment activities. PSPs must also develop and implement a risk management and incident response framework, which will be assessed by the central bank, and issue disclosures to end users. Fines up to CAD $10 million (approximately USD $8 million) may be imposed for non-compliance.
FINTRAC Updates Identity Verification Methods, 01 June 2021
The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) updated its methods on the identity verification of persons and entities, which went into effect 01 June 2021, per the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). The previous guidance included three methods: the government-issued photo identification method, the credit file method and the dual process method. The updated guidance introduces two new methods: the affiliate or member method and the reliance method. The affiliate or member method requires that one of the following has previously identified the person or entity:
- “An affiliate that is a [reporting entity: “RE”] referred to in any of paragraphs 5(a) to (g) of the PCMLTFA
- A foreign affiliate that carries out activities outside of Canada that are similar to the activities of an RE referred to in any of paragraphs 5(a) to (g) of the PCMLTFA
- A financial entity that is subject to the PCMLTFA and is a member of your financial services cooperative or credit union central”11
Paragraphs 5(a) to (g) cover reporting entities such as certain authorized foreign banks; certain cooperative credit societies, savings and credit unions; and companies covered by the Trust and Loan Companies Act.
The reliance method requires that a person’s or entity’s identity may be verified through reliance on measures previously taken by:
- “Another RE (person or entity that is referred to in section 5 of the PCMLTFA)
- An entity that is affiliated with you or with another RE and carries out activities outside of Canada that are similar to those of a person or entity referred to in any of paragraphs 5(a) to (g) of the PCMLTFA (an affiliated foreign entity)”12
Digital Operations Strategic Plan: 2021-2024, 24 May 2021
The Canadian government unveiled its Digital Operations Strategic Plan: 2021-2024, which outlines priorities toward digitalizing government services, including a “common and secure approach” to digital identity. The report states, “We are on track to launch the OneGC platform, which will allow individuals and businesses to use a single identity and password to access federal government services through a single window on Canada.ca.”
In September 2020, the Digital ID & Authentication Council of Canada (DIACC) launched the alpha testing phase of the Pan-Canadian Trust Framework, “a set of digital ID and authentication industry standards” seeking to deliver economic benefits across the public and private sectors. The alpha testing phase will also contribute to the introduction of the DIACC PCTF Voila Verified Trustmark Assurance Program (“Voila Verified”) in late 2021 or early 2022.13 The program will issue a PCTF Voila Verified Trustmark to entities in compliance with PCTF standards.14
FINTRAC and the Society of Notaries Public of British Columbia signed a Memorandum of Understanding (MoU) enabling information sharing per compliance with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. The MoU seeks to reduce the “duplication of effort and compliance burden for notaries public in British Columbia.” Information to be shared for compliance purposes includes “lists of person and entities subject to their respective Acts and Regulations as well as compliance examination plans resulting in more coordinated and risk-informed examinations.”
Financial System Review 2021, 19 May 2021
The Bank of Canada’s Financial System Review 2021 identifies six vulnerabilities in the financial system, including cyberthreats. Digitalization has boosted the attack surface available to cybercriminals, but the bank points to numerous initiatives toward countering cyberthreats, including its 2019-2021 Cyber Security Strategy and the Canadian Financial Sector Resiliency Group (CFRG). In May 2021, the CFRG led its first cyber incident simulation exercise, which gave its members a chance to practice information sharing and decision coordination in the face of a cyberthreat. The publication follows a 17 May 2021 Bank of Canada report on results of the biannual Financial System Survey. Respondents reported that cyber incidents were one of the three main risks to the Canadian financial system.
The report also notes that “the rapid evolution of cryptoasset markets” is an emerging vulnerability. Although the rising popularity in cryptoassets such as Bitcoin and Ethereum does not currently pose a significant threat to Canadian financial stability, this could change if a big tech company were to issue a cryptocurrency. Furthermore, the rapidly evolving and unique nature of cryptoassets presents challenges to the regulatory response. Investor protection issues and the role of cryptoassets in illicit transactions are main regulatory challenges. In December 2020, FINTRAC issued a guidance to reporting entities on money laundering and terrorist financing indicators in virtual currency transactions.
FINTRAC announced that it would begin assessing reporting entities’ compliance with amended AML regulations on 01 April 2022. The two amended regulations, published in the Canada Gazette on 10 July 2019 and 10 June 2020, went into force 01 June 2021. Reporting entities must submit a Large Virtual Currency Transaction Report (LVCTR) in the event that they receive a virtual currency transaction of CAD $10,000 (approximately USD $8,000) or more in a single transaction. Reporting entities must also submit an Electronic Funds Transfer (EFT) report in the case that they receive or initiate an international EFT of CAD $10,000 or more in a single transaction. In both instances, the 24-hour rule may apply. FINTRAC expects reporting entities to have implemented their reporting systems no later than 01 December 2021. Unreported LVCTRs and EFTs for the period of 01 June 2021 to 30 November 2021 must be submitted as soon as possible, and no later than 31 March 2022.
Bank of Canada Annual Report 2020, 22 April 2021
The Bank of Canada’s Annual Report 2020 briefly addresses the bank’s digital transformation strategy. In “cultivating a digital-first culture,” the bank supports the development and adoption of emerging technologies such as intelligent automation, advanced cybersecurity and digital learning. To manage an uncertain future with regard to the evolution of the COVID-19 pandemic, the bank will “increase investments in the risks and opportunities arising from automation and other innovations linked to artificial intelligence.” The bank notes that further digitalization of the economy will be integral to Canada’s post-pandemic recovery.
Digital Charter Implementation Act, 17 November 2020
The Minister of Innovation, Science and Industry introduced the Digital Charter Implementation Act, which would enact the Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act (PIPTD). The acts would grant Canadians more control over their personal data; impose new requirements on entities that collect, use and disclose personal data; and impose fines for non-compliance. Under the CPPA, entities must obtain express consent from individuals at or before the time of personal information collection. The following information must be provided for the consent to be valid:
- The purposes of the collection, use or disclosure of personal information
- The way in which personal information is to be collected, used or disclosed
- Any reasonably foreseeable consequences that could arise from the collection, use or disclosure of the personal information
- The specific type of personal information that is to be collected, used or disclosed
- The names of any third parties or types of third parties to which the organization may disclose the personal information
Individuals have the right to withdraw consent; be informed as to whether an entity has their personal information, how it was used and whether it was disclosed; access their personal information; and request disposal of personal information. Under the PIPTD, the Personal Information and Data Protection Tribunal can impose fines of up to CAD$10,000,000 (approximately USD$8,000,000) or 3% of the entity’s gross global revenue, whichever is greater.
On 11 May 2021, the Federal Privacy Commissioner Daniel Therrien sent a letter critiquing the bill to the House of Commons Standing Committee on Access to Information, Privacy and Ethics. Therrien notes that the bill would be a “step back overall” and that it is “less protective than laws of other jurisdictions.” He commissioned Teresa Scassa, Canada Research Chair in Information Law and Policy at the University of Ottawa, to assess the bill’s treatment of cross-border transfers of personal information.
Notable Provincial Updates
Amended Quebec Data Protection Act, 11 June 2021
Introduced in the Quebec National Assembly in summer 2020, An Act to modernize legislative provisions as regards the protection of personal information (Bill 64) was amended in parliamentary proceedings, which ended 11 June 2021.15 The Committee on Institutions, which adopted the bill in February 2021, made several key modifications, including:
- Personal information may be used without consent when its use is necessary for the supply or delivery of a product or provision of a service, or when its use is necessary for the prevention and detection of fraud or the evaluation and improvement of protection and security measures
- The transfer of personal information outside of Quebec must receive “adequate” protection, aligned with “generally accepted data protection principles”
- Entities that collect personal information must inform individuals of the “name of the third persons” with whom information may be shared per the collection
- Entities must publish detailed information about its personal information governance policies and practices
Parliament will reconvene in fall 2021. Other provinces have likewise been eager to revamp their data protection frameworks. Alberta solicited feedback on the Personal Information Protection Act (PIPA) and the Freedom of Information and Protection of Privacy Act (FOIP). The consultation, which closed 20 August 2021, sought to gather information on enhancing Albertans’ data protection rights, bolstering transparency and oversight, and creating legal requirements on the processing of de-identified data.
Quebec Digitalization Law, 10 June 2021
An Act to amend the Act respecting the governance and management of the information resources of public bodies (“The Quebec Act”) went into effect. The Act requires all public bodies to develop and implement a digital transformation plan, which will involve the digitalization of Quebec residents’ personal information. A digital data manager will be appointed to advise the Executive Council of Quebec on the exchange of government data between various government bodies.16
Ontario’s Digital and Data Directive, 2021 similarly seeks to digitalize government services, as well as enable access to public government data.
Building a Digital Ontario: Digital and Strategy, 30 April 2021
Building on the Ontario Onwards Action Plan, Ontario’s Digital and Data Strategy aims to make the province a global leader in digital transformation, bolster economic growth and improve people’s lives. The strategy outlines plans for a data authority and a trustworthy AI framework. The data authority, which will enter into consultation phase in summer 2021, “will be responsible for building modern data infrastructure to support economic and social growth at scale, while ensuring that data is private, secure, anonymous and cannot identify people individually.” The AI framework, which was in consultation from 07 May 2021 to 04 June 2021, will hinge on several draft commitments:
- No AI in secret
- AI use Ontarians can trust
- AI that serves all Ontarians
The Ontario government plans to develop and share action plans for each commitment in fall 2021. Its rights-based approach echoes the European Union’s proposed Artificial Intelligence Regulation.
Ontario’s Accelerating Access to Justice Act, 19 April 2021
The Accelerating Access to Justice Act received royal assent. The Act enables the permanent witnessing of wills and powers of attorney, and it will also grant courts the power to validate wills that could have otherwise been invalidated due to technical error. The latter provision will go into effect no earlier than 01 January 2022. The Act will retroactively apply to all wills and powers of attorney that fall under the 07 April 2020 emergency order.17
Digital ID App Launches in Alberta, Manitoba and Nunavut, 27 January 2021
The eID-Me digital identity mobile application, first launched in Ontario in 2020 by the Ottawa-based company Bluink, was introduced in Alberta, Manitoba and Nunavut. Although the app does not serve as an official Canadian identification, it allows users to verify their identities to access online services and offers a digital backup to driver’s licenses and photo ID cards. To register for the app, users must have a passport—either Canadian or American—and a secondary identification such as a driver’s license or photo ID card. The app also launched in British Columbia and Quebec in 2020.
Ontario Onwards: Digital Identity Project, 19 October 2020
The Ontario-Onwards: Digital Identity Project, announced by the Office of the Premier, seeks to establish a digital identity infrastructure. Two public consultations have since been held, and the province will begin its introduction of the optional digital ID in late 2021. The digital ID can be used by individuals for a variety of services, including to open a bank account, update vaccine records and obtain a birth or death certificate. Businesses can use the digital ID to verify customers’ identities, open business accounts and apply for tax credits.
1. Johnston, Matthew. “The Economy of Canada: An Explainer.” Investopedia, 27 July 2021. https://www.investopedia.com/articles/investing/042315/fundamentals-how-canada-makes-its-money.asp
2. Davenport, Tom. “Learning From The Canadian Model Of AI.” Forbes, 19 November 2019. https://www.forbes.com/sites/tomdavenport/2019/11/19/learning-from-the-canadian-model-of-ai/?sh=7f66f29b2300
3. Lecuyer, Marc. “Pandemic-fuelled demand for digital services is here to stay.” The Hill Times, 02 August 2021. https://www.hilltimes.com/2021/08/02/pandemic-fuelled-demand-for-digital-services-is-here-to-stay/309531
4. Stephenson, Amanda. “Average cost of a data breach in Canada hit new record in 2021, IBM Security report says.” The Globe and Mail, 28 July 2021. https://www.theglobeandmail.com/business/article-average-cost-of-a-data-breach-in-canada-hit-new-record-in-2021-ibm/
5. “2020 was the worst year on record for Canada's economy. It shrank by 5.4%.” The Canadian Broadcasting Corporation, 02 March 2021. https://www.cbc.ca/news/business/statscan-economy-2020-1.5933072
6. Gordon, Julie and Kelsey Johnson. “Canada second-quarter GDP likely to fall record 12% on COVID-19 shutdowns.” Reuters, 31 July 2021. https://www.reuters.com/article/us-canada-economy-gdp-idUSKCN24W1Z3
7. Graham, Jack. “Covid-19 is Highlighting Canada’s Digital Divide. What Can We Do About It?” Future of Good, 16 April 2021. https://futureofgood.co/covid-19-is-highlighting-canadas-digital-divide-what-can-we-do-about-it/
8. Horwood, Matt. “Businesses need federal investment in cybersecurity, says Beatty.” The Hill Times, 24 July 2021. https://www.hilltimes.com/2021/07/24/businesses-need-federal-investment-in-cybersecurity-says-beatty/308194
9. “Final Report.” Advisory Committee on Open Banking, April 2021. https://www.canada.ca/content/dam/fin/consultations/2021/acob-ccsbo-eng.pdf
10. “Final Report.” Advisory Committee on Open Banking, April 2021. https://www.canada.ca/content/dam/fin/consultations/2021/acob-ccsbo-eng.pdf
11. “Methods to verify the identity of persons and entities.” Financial Transactions and Reports Analysis Centre of Canada, June 2021. https://www.fintrac-canafe.gc.ca/guidance-directives/client-clientele/Guide11/11-eng#s2a
12. “Methods to verify the identity of persons and entities.” Financial Transactions and Reports Analysis Centre of Canada, June 2021. https://www.fintrac-canafe.gc.ca/guidance-directives/client-clientele/Guide11/11-eng#s2a
13. “Canada commences testing of digital ID framework.” Finextra, 16 September 2020. https://www.finextra.com/pressarticle/84093/canada-commences-testing-of-digital-id-framework
14. “Newly Launched Digital ID Framework to Begin Testing in Canada.” Business Wire, 15 September 2020. https://www.businesswire.com/news/home/20200915005744/en/Newly-Launched-Digital-ID-Framework-to-Begin-Testing-in-Canada.
15. Gratton, Éloïse et al. “End of parliamentary proceedings in Quebec: An Update on Bill 64.” Lexology, 21 June 2021. https://www.lexology.com/library/detail.aspx?g=2cab3fdb-e6f7-423f-8257-384d5ccea244
16. Morgan, Charles S. et al. “Bill 95: Quebec’s Digitization Law Unpacked.” Lexology, 16 July 2021. https://www.lexology.com/library/detail.aspx?g=524bcdba-ff17-422f-bb26-865766500429.
17. Mezzetta, Rudy and Melissa Shin. “It’s official: marriage no longer revokes a will in Ontario.” Investment Executive, 03 May 2021. https://www.investmentexecutive.com/news/industry-news/its-official-marriage-no-longer-revokes-a-will-in-ontario/.
*DISCLAIMER: This information is OneSpan's interpretation of the compliance requirements as of the date of publication. Please note that not all interpretations or requirements of the applicable laws are well-settled and its application is fact- and context-specific. The information contained in this document should not be relied upon as legal advice or to determine how the law applies to your business or organization. We encourage you to seek guidance from your legal counsel with regard to law applying specifically to your business or organization and how to ensure compliance. This information is provided “as-is” and may be updated or changed without notice. OneSpan does not accept liability for the contents of these materials.
Last updated: November 2021