2241.FNT104

Canada is a business-friendly jurisdiction that has a wide array of fintech businesses, at all stages of growth, operating throughout the Country.

In 2020, the anticipated pace of fintech regulatory development in Canada slowed due to the COVID-19 pandemic; however, Canada nevertheless continued its transition to an increasingly digital economy. Initiatives related to open banking, known as “consumer-directed finance”, payments and cryptocurrency have been particularly active.

COVID-19 caused a material shift in consumer behavior, and Canadians accelerated their adoption of technology, notably in the area of digital and contactless payments.

A recent Payments Canada study showed 62% of Canadians reported using less cash since the start of the pandemic, and 53% of Canadians have reported increased use of contactless payment methods. Electronic payments now make up 75% of total payments volume in Canada.

There is no single Canadian regulatory body, either at the federal or provincial level, which has jurisdiction over fintech businesses. Rather, depending on the type of services provided by the fintech business, a number of regulatory bodies have jurisdiction over it.

Fintech businesses that provide banking, consumer credit and insurance services, or capital-raising services, find themselves subject to the same regulations as incumbent businesses in the same areas. 

However, Fintech businesses typically find themselves under further regulations for privacy laws such as PIPEDA (Privacy Information Protection & Electronic Documents Act) and AML laws.

Most of the regulations applicable to a Fintech business depend on the sector in which it is operating, and/or which products it is offering.

However, there are a number of regulations that apply to most Fintech businesses, notably:

• taking reasonable steps to avoid money laundering, terrorist financing, and other financial crime
• keeping customer data safe, and ensuring that customers' privacy is respected
• ensuring an adequate level of customer protection, including ensuring that a product is suitable where this is required
• ensuring that there are adequate continuity and wind‐down plans in place should the business default
• ensuring that the company does not endanger the critical financial infrastructure

The big banks dominate the financial services landscape, providing the deposit, payment, and credit facilities that we all use and take for granted, but they are no longer the only players in town.

Businesses that would once have relied on banks for credit can now borrow from peer-to-peer (P2P) platforms or specialist lenders. As alternative finance gains traction with customers, FinTech is approaching the tipping point at which a critical mass of consumers and businesses see technology-driven solutions offered by new players in the marketplace as preferable to services offered by incumbent banks.

The operations of a Fintech with specific product focus may or may not fit neatly into one of the traditional areas of regulation.

For example, a robo‐advisor would be regulated similar to an investment advisor, and for an app that allows friends to share bills some bank‐like regulation might apply (unless there is specific regulation in the payments space that recognizes non‐bank payment services providers).

However, there are products that are more difficult to fit into existing categories. For example, peer‐to‐peer lending or crowdfunding do not slot neatly into pre‐Fintech categories that did not really foresee individuals providing finance to each other on a large scale.

A Fintech company could focus on providing a complete set of financial services to a very narrow set of customers.

This company might focus on distribution, meaning that it would not create the products itself, but rely on partners – e.g. banks, insurance companies, asset managers – whose products it would white‐label and sell on to its own customers. Regulating this company like a financial conglomerate would certainly not be the way to go.

On the other hand, solely relying on the fact that the backend product providers are regulated would probably not work either, as at least some of the applicable regulations (e.g. money laundering, data protection, conduct) are relevant for the front‐end provider as well.

It is often difficult to design product‐based regulation.

It would be ideal if one could apply the equivalent of duck typing (if it walks like a duck, and it quacks like a duck, then it must be a duck) and whilst regulators often try to do so, it is not always possible.

The very nature of law makes it difficult to write regulation on a functional or product level because there is always the tension between making the law unambiguous and predictable, and making it flexible enough to allow for variations around a theme when the market offers products that are similar in nature, but different in important details, in particular also in the legal form.

The question is ultimately about where to apply the boundary.

Regulating Fintech products based on rules is hard.

It is usually possible to look at existing products and services and then write legislation that sorts them correctly into those where it should apply and where not.

However, once the legislation is written, new products can be designed that end up on the wrong side of the boundary, either:

• deliberately - a process often referred to as regulatory arbitrage, or
• by chance - in which case existing legacy regulation can and does impede the development of innovative products and services.

An attempt to solve the dilemma of classic rules-based regulation is to go down the route of principles‐based regulation, allowing more regulatory flexibility.

In practice this is not a dichotomy but rather two opposite ends of a continuous spectrum, as principle‐based regulations also have some hard rules, just fewer of them, and vice versa.

Principles‐based regulation can solve some of the issues, but it comes at a cost: for example, there is less regulatory certainty, and regulators become more powerful so regulatory capture and even corruption can become more of an issue.

Financial services regulation is usually organized within classic industry sectors:

• banking and payments,
• insurance and asset management, and
• market infrastructure.

Within those sectors, there are a number of lines along which regulation can be split, for example:

• by structure – e.g. prudential (robustness of institutions and the system) vs conduct (e.g. fair treatment of customer) vs market (e.g. product innovation and availability)
• by subsector – e.g. banking, payments; or insurance, mutual funds, pension providers; or exchanges, clearing houses

Regulation is anchored around primary legislation that has been implemented at the appropriate level. By default this is the national level, but there are important exceptions.

For example:

• in United States – insurance regulation is based at the state level, and bank regulation can either be at the state or the federal level, depending on whether the bank has a state charter or a federal charter.
• In European Union – a lot of regulation is legislated at the supra‐national level, in a slightly complex process involving national‐level legislators as well.

Regulatory legislation is complex and technical, and the broad‐brush principles have to be interpreted to ensure coherent application on the ground. Therefore, primary regulatory legislation generally leaves a lot of the technical details to secondary legislation.

Wherever there is a legislator enacting regulation there tends to be one or multiple agencies tasked with implementing this legislation, loosely referred to as ‘regulators’, and those regulators are usually also in charge of enacting the secondary legislation. The balance between the frontline regulatory task, and the duty to create secondary legislation can vary.

The financial system is highly interconnected at all levels, and it is therefore important that regulation is coordinated and harmonized at all levels as well.

The international harmonization of regulation happens in a number of supranational forums where national regulators and legislators, plus typically the EU as an independent party, convene and discuss to what extent regulations should be harmonized.

At a political level, the highest‐level group addressing this is the G20 forum of heads of state or finance ministers who, supported by their senior regulators, decide upon a high‐level roadmap of where they want international regulation to go.

The main focus of the G20 Forum tends to be the avoidance of financial crisis.

The G20 only meets occasionally, and is supported by:

• the Financial Stability Board (FSB), which is a permanent institution that drives the G20 agenda between the meetings.

On a more technical level, there are 3 organizations that deal with the global harmonization of rules in their respective sector:

• the Basel Committee for Banking Supervision (BCBS) for banks,
• the International Association of Insurance Supervisors (IAIS) for insurance companies, and
• the International Organization of Securities Commissions (IOSCO) for market places.

The FATF (Financial Action Task Force), is another important international organization which coordinates the global fight against:

• money laundering,
• terrorist finance, and
• financial crime.

FATF is a forum to create harmonized rules in the above areas and it regularly reviews and comments as to whether national practices are in line with said rules.

CRTA (Canadian RegTech Association) is a non-profit organization focused on solving regulatory challenges through collaborative efforts between key RegTech stakeholders:

• regulated entities,
• technology vendors,
• regulatory bodies,
• government, and
• professional service providers.

canadianregtech.ca

CRTA’s goal is to:

• facilitate dialogue,
• raise standards, and
• promote growth and innovation within Canadian RegTech eco-system.

CRTA solves regulatory challenges through collaborative discussion and engagement in proof-of-concept initiatives.

canadianregtech.ca

• Actively lead progressive dialogue amongst industry, innovators and policy makers
• Champion and promote the innovative use of technology to create efficiencies and reduce the costs of regulatory compliance
• Create greater awareness of the Canadian RegTech industry within Canada through Thought Leadership, hosted events, podcasts and collaborative partnerships
• Represent the Canadian RegTech industry in global forums including International RegTech Associations by highlighting local Canadian expertise that can be readily exported to other jurisdictions
• Participate in the development of standards and establish mechanisms with partners to test and validate within the RegTech community

canadianregtech.ca

By default every subsidiary is subject to the rules of the jurisdiction where it is incorporated. This, however, cannot be seen in isolation, and there is also the group‐level view to consider.

In order to deal with this, regulators establish for every major financial group a so‐called regulatory college where all national regulators for whom the group in question is important participate, and that is led by the group's home regulator, i.e. the lead regulator in the jurisdiction where the group holding company is regulated.

There are a number of conventions and international agreements about how those colleges operate, but essentially they must agree on respective responsibilities, in particular with respect to control, inspection, and information sharing, and on how to deal with sanctions and emergency situations should the need arise.

One of the key reasons behind the harmonization of regulations is to enable companies to engage in cross‐border business without having to go through a full regulatory approval process in every jurisdiction in which they operate. In current regulatory practice there are two different levels of authorization:

Equivalency  means that rules in two jurisdictions are similar enough that regulators are confident that the firms covered by them can operate in each other's markets (or portions of each other's market, e.g. only covering sophisticated investors) with a reduced level of local oversight.

Passporting   means that the rules in the two jurisdictions are so close that only very limited local oversight is needed, and that therefore the regulator of the company's home jurisdiction is responsible for looking after the company's entire business, including in passported jurisdictions.

When regulators declare their rules within a certain area to be equivalent, this indicates that either set of rules is as good as the other.

In this case the regulators might grant each other's regulated companies access to their own markets, subject to a number of operational guidelines with regard to the respective rights and responsibilities of home regulators and host regulators, and how they'll interact — in particular, how they'll share data.

Typically, market access via equivalence is within a very narrow range of product, services, and customers, with the latter almost always being professional or sophisticated counterparties that are believed to be able to look after themselves if need be.

Companies that are established within the EU's Single Market do not have to rely on equivalence to provide their services on a cross‐border basis.

As the rules are already the same (within the parameters established by the relevant directives and regulations, i.e. taking into account permissible variations across jurisdictions) the different regimes are known to be equivalent.

In fact, they are super‐equivalent in the sense that the variation in rules is much smaller than would be the case under the typical equivalence regime. In this case, companies can provide services under a regime that is known as ‘regulatory passporting’.

Companies that are authorized in an equivalent regime have the right to apply for authorization under equivalence provision, meaning being authorized in their home country is a necessary condition for authorization under equivalence.

Under a passporting regime, companies that are authorized in their home country have the right to operate under this passport, meaning being authorized in their home country is a sufficient condition for authorization under passporting.

There are a number of administrative hurdles to overcome, but overall, gaining access to a market via passporting is much preferable to gaining access via equivalence. However, companies must be established in the business they want to passport in their home Member State – they can't just go forum shopping and establish themselves in a particular jurisdiction for regulatory reasons without doing substantive business there.

It is noteworthy that: Fintech regulation is not an end in itself, but a means to achieve a certain end, typically to address a market failure.

The smaller a company is, the less damage it can do, and the less it is subject to regulatory oversight. There is one important distinction to make: proportionality mostly applies in the area of macro‐prudential regulation and market structure, because in those areas size matters.

However, any company can do damage to its customers, so even small companies must comply with conduct rules, micro‐prudential rules ensuring appropriate levels of safety for customer assets, and public interest regulations, e.g. in the money laundering and terrorist finance space.

Fintech regulation does not always catch up immediately with what is happening in the market.

Especially when business models are new, and/or do not map properly onto the classic regulated businesses, it is often not clear which exact regulation applies, how it is to be interpreted, and who the regulator in question is.

That is a chance, but it is also a risk that suddenly a regulator steps out of the woodwork and imposes restrictions or even fines. Ultimately a start‐up company with limited resources must weigh the risk of getting bogged down in regulatory discussion with a number of regulators, most of which might not have clear idea what to do in this respect either, with the risk of being told off at a later stage.

Start‐ups should have a good view on the regulations in place in the product areas in which they are operating.

In particular, if start‐ups are competing head‐on with regulated businesses, they should know the regulations that those businesses have to comply with, and they should spend some senior management time and effort to adapt their own strategy accordingly.

A number of questions that senior management should ask themselves, and points to ponder, are presented on following two pages. 

1. Are there regulations that apply to our business?
2. Are there regulations that make sense if they applied to our business, and is the only reason they don't apply because our business model is not yet on regulatory radar?
3. Are there regulations, or regulatory principles, that apply in the product space that we are covering?
4. Are there regulations that apply to traditional competitors but not to us, and do they really not make sense either in their case or in ours?
5. What are the implications of the answers to the above points with respect to product design? Are there product features that would make it better suited to the regulatory environment?
6. What are the technology implications of above points? In particular, would it be better to take certain design decisions now, or leave them to later?

If there are regulations where the answer to question (1) is ‘yes’ or ‘probably yes’ then it is highly advisable to talk to the relevant regulator.

Any regulations where the answer to question (2) or (3) is ‘yes’ should be high on the priority list, as they'll almost certainly become a requirement in the future.

Those under (4) are more ambiguous: there is a risk that they'll be extended for level‐playing‐field reasons, or maybe they might be entirely scrapped, so they should be on the radar but need not necessarily be acted upon.

The points (5) and (6) are key strategic question in terms of product and system development that companies should consider.

One instrument often used by early‐stage start‐ups is a non‐action‐letter.

A start‐up may formally approach the regulator with a description of its business activities, processes, and volumes, especially in the areas that relate to regulated parts of the financial system. If the regulator is persuaded that those are adequate it might issue a non‐action‐letter. This letter is time-limited and conditional on the environment not substantially changing from that which had previously been described, in particular also in terms of business volume.

A non‐action‐letter does not provide 100% legal certainty that everything is correct, especially if things go wrong. Also, it only covers the regulator who has prepared the letter, so it should not be taken as an indication that all applicable regulations have been complied with, or that all relevant regulators are on board.

Having said this, in most cases having a non‐action‐letter is better than not having one.

You know what they say: if you can’t beat them, join them.

Developments in FinTech have the potential to erode the brand equity of the incumbent banks and eat into heir market share. But banks also have an opportunity to embrace FinTech innovation and offer new solutions to their customers.

The smartest move is to collaborate, not to compete – and many banks have understood this. Strategies differ but the goal remains the same: survive, and even profit from the digital disruption. This may actually be beneficial for the bug banks. What is better than having someone inventing everything right in front of you, and allowing you to just buy it?

This is a once-in-a-lifetime opportunity for banks to obtain advanced capabilities and modernize infrastructure without having to develop it in-house.

It only requires an open innovation mind-set for banks to join the game.

2241.FNT104