CIOs working with financial technology should be particularly watchful in 2017, according to a report from legal firm Borden Ladner Gervais. The firm has issued its list of top 10 legal risks for businesses in 2017. In its ‘technology transformations’ section, it points to the patchy regulatory landscape for fintech, which can create uncertainty for companies offering services that span the financial and the technical.
“The thing that people have to be aware of is that there is legal fiction. Some laws do not work properly, currently,” warned Stephen Redican, financial and banking partner at the firm.
He points to four areas in which fintech companies – or larger financial institutions that partner with them – face particular risks. “Cloud computing, outsourcing, data transfers, and point of sale technology [are areas] where I have personally experienced frictions with existing law,” he said.
Cloud computing is a case in point. Redican points to the Office of the Superintendent of Financial Institutions (OFSI), which released guidance on the use of cloud computing in the financial industry back in 2012 in a document called B-10.
“OFSI says you need to follow whatever it said in B-10 about outsourcing,” he warned. B-10 likens the use of cloud computing to physical outsourcing contracts, but Redican points out that some things simply don’t map well between the two kinds of agreement.
“Guideline B-10 talks about where is the location of the data. Being able to audit your providers,” he said. “If you have a cloud computer who’s providing your back office, where’s your data? Well, I can’t identify where it is. Can I audit it? Well no, it’s distributed, you can’t audit it. OK, well how can we comply with those requirements of OFSI’s?”
Regulatory risk is a well-understood issue in the fintech sector, which is growing rapidly. Venture capital-backed investments in fintech reached $137.7 million last year, up more and 35 per cent on the year before. In 2000 investments reached just $7.3 million, said reports.
Other regulators have been responsive to regulatory concerns surrounding fintech. The Ontario Securities Commission (OSC), which deals with securities rather than banking, unveiled its Launchpad initiative in October to help fintech startups navigate the complexities of securities regulation in a safe environment.
More broadly, BLG’s report warned of a growing focus on privacy and cybersecurity risks in 2017 as people become more protective of their privacy. In 2016, settlements were reached in two Canadian privacy class-action suits, it pointed out in its report, adding that there are currently 33 privacy breach class actions pending north of the border.
Almost eight in 10 of these pending class actions were employee-generated, it added, arguing that there are far more internal privacy breach cases than external ones, although external privacy breaches often garner the most media attention.
Many companies are investing in breach incident management response plans including staff training, media management and legal backup, the report added, on the basis of the 2015 update to the Personal Information Protection and Electronic Documents Act (PIPEDA). This update, passed under the Digital Privacy Act, included provisions for penalties if companies did not notify the federal Privacy Commissioner of a data breach, but the penalty clause has not yet been enacted. It is therefore a business risk that companies must prepare for, the report concluded.
