Fintech Law in Canada: 2021 Year in Review

By Noah Walters

Compared to other countries, Canada has often taken a “wait-and-see” approach to the FinTech regulation. Rather than rolling out a fulsome regulatory framework, incremental change has been the order of the day. However, 2021 proved to be a relatively productive year for Canadian legislators. In this insight, we highlight the most significant developments in Canadian FinTech Law, and share our thoughts on key trends to look for in 2022.

Open banking

In August 2021, the Advisory Committee on Open Banking released its final report, which made recommendations on how to implement a secure open banking system that would facilitate the secure and efficient transfers of financial data between consumers, financial institutions, and accredited third parties (our insights on the Report can be found here). The Report made six key recommendations concerning policy objectives, scope, regulatory framework, common rules, accreditation criteria and technical specifications, and standards for an open banking system in Canada. Ultimately, the report recommended that the federal government quickly proceed with a phased-implementation of a hybrid open banking system to promote competition in Canada’s financial sector and reduce the risks associated with financial data sharing.

Many Canadian FinTech companies employ screen-scraping techniques to provide data driven services to their customers; such techniques are likely to continue until an open banking framework provides meaningful alternatives. Accordingly, of particular note for FinTech lenders in Saskatchewan is an advisory issued in October 2021 by the Financial and Consumer Affairs Authority (FCAA) that effectively sets out prohibitions on screen-scraping for payday lenders, and disclosure obligations for other provincially-regulated entities like financing corporations, which are licensed under the Trust and Loan Corporations Act. This advisory is notable because, to date, the FCAA is the only provincial financial services regulator to tackle this issue. Screen scraping was a hot topic in Canada in 2021, and will likely be of increased relevance moving forward as the open banking initiative continues.


In one of the biggest regulatory developments in 2021, the federal government passed the Retail Payment Activities Act (RPAA) which serves as the first regulatory regime for retail payment providers in Canada. The Bank of Canada, who will take the role of regulator, will oversee all “retail payment activity” that is performed by a “payment service provider” (PSP) as that term is defined in the Act that provide one or more “payment functions”, which include:

  • The provision or maintenance of an account that, in relation to an electronic funds transfer, is held on behalf of one or more end users;
  • The holding of funds on behalf of an end user until they are withdrawn by the end user or transferred to another individual or entity;
  • The initiation of an electronic funds transfer at the request of an end user;
  • The authorization of an electronic funds transfer or the transmission, reception or facilitation of an instruction in relation to an electronic funds transfer; or
  • The provision of clearing or settlement services.

Once the RPAA comes into force, PSPs will be required to register with the Bank of Canada and meet certain operational and risk management requirements (see our previous article for details).

Anti-money laundering (AML) / Know Your Customer (KYC)

In June 2021, new amendments made to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) in 2019, came into effect. The amendments were accompanied by both revised and new FINTRAC guidance designed to bridge the gap between existing rules and technological developments.

Key areas affected by the new regime include:

  • New virtual currency obligations;
  • New identification and reporting obligations regarding politically exposed persons and heads of
  • international organizations;
  • Expanded obligations for foreign money services businesses;
  • The introduction of obligations relating to prepaid cards issued by financial entities, such as
  • banks;
  • Beneficial ownership reporting obligations;
  • Updates to the 24-hour rule;
  • New travel rule requirements;
  • Business relationship screening requirements;
  • Ongoing monitoring requirements;
  • Updated recordkeeping requirements;
  • New anti-money laundering training program requirements; and
  • Updates to identification methods and know-your-client checks.


In light of these significant changes, FINTRAC explained that it would exercise a degree of flexibility in assessment reporting entities compliance programs; however, the expectation is that all reporting entities should ensure that appropriate steps are taken to comply by April 1, 2022. More information on the June 2021 PCMLTFA amendments can be found here.

Cryptocurrency and Blockchain

In March 2021, the Canadian Securities Administrators (CSA) and the Investment Industry Regulatory Organization of Canada (IIROC) jointly published CSA Staff Notice 21-329 to provide guidance on how securities legislation may apply to crypto asset trading platforms (CTP) (see our article on Staff Notice 21-329 for details). While there are multiple ways to categorize crypto assets, the Notice indicates that securities laws apply to CTPs when the CTP facilitates or proposes to facilitate the trading of: (1) crypto assets that are securities (Security Tokens), or (2) instruments or contracts involving crypto assets (Crypto Contracts). The Notice also explains that regulation may apply to the buying and selling of crypto assets that are commodities because the users’ contractual right to the crypto asset may itself constitute a derivative. This occurs when the crypto asset is not immediately delivered to users. The Notice goes on to distinguish between CTPs that are “marketplace platforms” and “dealer platforms”, and in consideration of the nascency of this industry, sets out interim steps to allow CTPs to operate while gradually integrating themselves into the Canadian regulatory structure.

In September 2021, the CSA and IIROC jointly published Staff Notice 21-330 which provided guidance for crypto-trading platforms in relation to advertising, marketing and social media use. The Staff Notice includes an overview of the principal requirements under securities legislation and IIROC rules in relation to advertising and marketing and reminds CTPs, including foreign-based CTPs with investors in Canada, that the CSA may take enforcement actions for noncompliance with these requirements.

The key concerns as set out in the Notice include:

  • Statements in advertising and marketing materials that could be considered false or misleading;
  • The use of gambling-style contests, promotions or schemes, such as the offering of bonuses or rewards based on the level of trading, that may encourage excessive trading by retail investors;
  • Compliance and supervisory challenges when using social media to promote CTPs; and
  • Compliance with Canadian securities legislation generally.

Privacy & cybersecurity

2021 ushered in a variety of exciting new developments in privacy law. Most significantly, Québec passed a privacy law reform bill (Bill 64) in September that will give covered organizations two years after assent to ensure compliance with new regulatory requirements.

Bill 64 will require organizations to:

  • Establish data governance processes, including ones to assist individuals in exercising new privacy rights; develop corporate data management policies;
  • Adopt technological solutions to de-index or transfer personal information upon request; and
  • Issue internal guidelines to support staff and service providers in the implementation of the new privacy regime (this article sets out details).

Of particular note is the fact that the law of Québec will apply beyond the province’s borders where organizations collect personal information from Quebec residents.

Also of note was the introduction, and subsequent failure, of a federal attempt at privacy law reform, with the Canadian Privacy Protection Act (CPPA). If passed, the CPPA would have represented the largest overhaul to Canada’s privacy regime in over 20 years, replacing the existing Personal Information Protection and Electronic Documents Act (PIPEDA), as the federal legislation regulating privacy in the private sector. We mention the CPPA despite its expiration because there are indications that a comparable law could be introduced.

In August 2021, the Office of the Superintendent of Financial Institutions (OSFI) published an advisory that sets out updated requirements for all federally regulated financial institutions (FRFIs), including banks and insurance companies, to report technology and cybersecurity incidents to OSFI within 24 hours. The Advisory was effective immediately and will likely require many FRFIs to update their incident response practices/procedures and agreements with IT service providers and other third parties.

What to expect in 2022

Looking ahead to 2022, we expect to see continued interest in the regulation of PSPs and the

accompanying regulatory burden of that regulation. That burden will be new to many Canadian PSPs, which are accustomed to operating in a space with few regulatory constraints.

In the past year, the crypto industry experienced a dramatic shift in value with global assets plugged into decentralized financial (DeFi) infrastructure rising from approximately $20 billion to $250 billion. Wallet addresses (the equivalent of accounts) on crypto networks that can run DeFi software rose in number from about $100 million to $500 million.1 Most impressively, total crypto enterprise value went from about $750 billion to somewhere between $2-3 trillion. During this period Canadian, regulators provided some valuable guidance on crypto trading activities and marketing as discussed above, and in 2022 we expect to see regulatory sophistication gradually increase to distinguish between disparate types of crypto assets and associated use cases (such as NFTs, DAOs, crypto lending, stablecoins, and CBDC).

Ultimately, we expect 2022 to be a year of increased regulatory maturity, as newly-proposed and newly-enacted legislation begins to leave an impression on the Canadian financial services market. For more information on how you can prepare for upcoming changes and/or respond to developments in 2021, reach out to Noah Walters at Dentons.

[1] Lex Sokolin, “The FinTech Blueprint” (December 29, 2021) online: