1
CSA Multilateral Discussion Paper 11-406 – CSA Financial Innovation Hub Introduces Collaboratory and Data Portability Test
February 18, 2025 Introduction Data privacy laws in many international jurisdictions are developing in a manner that aims to give users greater rights to control their own data. This has manifested in a number of ways, including new laws requiring a business to, upon request by the individual, transfer personal information collected by the business to the individual or a third party. Data portability (Data Portability) may have an impact on market participants subject to Canadian securities laws that collect data and information from investors. This includes registrants and potentially other market participants, such as investment fund issuers, non-investment fund reporting issuers, marketplaces and marketplace participants. Although Data Portability (as defined below) legislation has not yet been adopted in Canada, except in Quebec 1 , it is nevertheless important for Canadian Securities Administrators (CSA or we) staff to better understand from industry how incoming technological or regulatory changes can affect how the participants will comply with securities regulation.
To that end, CSA staff are examining the implications of Data Portability in the Canadian capital markets and are consulting industry stakeholders through a new forward-looking cohort-based testing environment, the CSA Collaboratory. Our first test within the CSA Collaboratory will seek to provide the CSA with a greater understanding of the impacts of Data Portability solutions and in particular the collection, analysis and transfer of client data which is sometimes referred to as an e-KYC solution. As is explained in detail in this CSA Financial Innovation Hub Discussion Paper (the discussion paper), this Data Portability test will take a phased approach and may result in a live testing environment, if deemed necessary and appropriate.
The purpose of this discussion paper is to: introduce the first test within the CSA Collaboratory, which will focus on the theme of Data Portability; and consult with market participants, investor protection associations, and other concerned stakeholders to better understand the legal, technological and practical issues facing registrants and other market participants who may be legally required to port or share client information on request;
As noted above, the first test within the CSA Collaboratory will focus on the theme of Data Portability, with a particular emphasis on how Data Portability procedures may be able to facilitate reduced friction and burden in the client onboarding process without unduly compromising investor protection. The securities regulators of British Columbia, Alberta, Saskatchewan, Manitoba, Nova Scotia and New Brunswick (the publishing jurisdictions) are participating in this discussion paper. The Autorité des Marchés Financiers (together with the publishing
1 In Quebec, a new right to Data Portability came into effect on September 22, 2024.
2
jurisdictions, the participating jurisdictions) is also participating in the Data Portability test and expects to participate in subsequent phases of the test.
Background on CSA Collaboratory The current CSA business plan (the Business Plan) indicates that the CSA will be taking a proactive and coordinated approach to building regulatory capacity for emerging digital business models with the aim of supporting innovation in the Canadian capital markets. As part of the Business Plan, the CSA Financial Innovation Hub has developed the CSA Collaboratory, which will allow eligible businesses to test novel technology or business solutions and concepts within a controlled space with predefined parameters and timeframes. By offering a streamlined, cohort-based mechanism for businesses to experiment with new technologies, the CSA Collaboratory aims to enable companies to test ideas pursuant to a specific testing plan that is agreed to and monitored by jurisdictions participating in the testing theme. The environment is suitable for cases where the CSA has determined that risks can be managed effectively within well-defined boundaries. This environment may be particularly suited for cases where developments in technology may lead to new business models.
Advantages of a Cohort-based Approach From the CSA’s perspective, the CSA Collaboratory holds numerous advantages because it: serves as a platform for encouraging innovation that has the potential to enhance and improve the functioning of Canadian capital markets; promotes active engagement, dialogue and collaboration between the CSA and key players in the fintech ecosystem, enabling a deeper understanding of emerging trends, risks, and technologies; builds the CSA’s expertise by conducting research, consulting with industry participants, and experimenting with new business models and technological solutions; and provides insight into activities that will play a crucial role in informing the development and modernization of regulatory frameworks.
For businesses and market participants, the CSA Collaboratory offers an opportunity to test innovative financial products and services in a controlled setting, over a limited time period. Companies benefit from direct engagement with CSA staff by receiving feedback throughout the testing process. This collaboration helps firms refine their business models and align them with regulatory expectations, thereby reducing potential obstacles to market entry. Additionally, participants may have the chance to engage with regulatory experts to address challenges and explore collaborative solutions, facilitating the development and adoption of cutting-edge technologies.
Local or National Impact of Cohort Themes Although the CSA expects that some cohorts will be available across all CSA jurisdictions, we recognize that there may be unique opportunities for cohorts to develop in only one or a few CSA jurisdictions. To that end, the CSA Collaboratory is designed to be flexible and agile, allowing for localized tests when necessary or desired. Unique opportunities may arise for cohorts to develop in specific CSA jurisdictions based on local feedback and development.
3
However, it is expected that any data or findings coming out of a localized CSA Collaboratory will be shared with the rest of the CSA to assist in policy making across Canada.
CSA Collaboratory Theme - Data Portability The first test within the CSA Collaboratory will focus on the theme of Data Portability, with a particular emphasis on how it may facilitate collecting client’s information and the know-your-client (KYC) process
In order to facilitate this, we have defined the following: Data Portability means the ability of individuals to request that a data holder transfers to them or a specific third party, data concerning that person in a structured, commonly used, and machine-readable format on an ad hoc or continuous basis. 2 e-KYC is the process of collecting client’s information and, completing identity verification and other KYC requirements as set out in section 13.2 of National Instrument 31-103 Registration Requirements, Exemptions and Ongoing Registrant Obligations (NI 31-103) using digital means, such as through electronic forms, digital documents, and varying degrees of automation. This enables the registrant to obtain information about the client that assists in performing its KYC obligations and a suitability assessment as set out in 13.3(1)(a)(i) of NI 31-103. 3 e-KYC portability means the ability for individuals to obtain, reuse and port financial and other personal information from one financial service provider to another for purposes of facilitating the process to gather client information under the KYC process across different securities registrants that are providing investment services and/or products to the individual.
As noted in more detail below, registrants have a number of core obligations, including an obligation in section 13.2(c) of NI 31-103 to take reasonable steps to ensure that it has sufficient information about the client to indicate whether the investment is suitable for the client, based on the factors set out in section 13.3 of NI 31-103. This discussion paper does not change or alter the registrant’s obligation to conduct KYC obligations under NI 31-103 or the CSA’s existing expectations in this regard. This discussion paper does not alter or amend existing law or guidance in any manner, and does not provide any new guidance in relation to registrants’ obligations under securities legislation. We continue to expect firms to establish, maintain and apply policies, procedures and controls relating to the KYC process, in accordance with their category of registration, their business model, their client’s type of account and the nature of the relationship with their clients. We also continue to expect firms to consider existing guidance in relation to their activities, including specific guidance applicable only to certain operating models. For example, see the guidance relating to the use of electronic questionnaires for KYC
2 The impact of data portability on user empowerment, innovation, and competition | OECD (2024). 3 As set out in section 13.2 of Companion Policy 31-103 Registration Requirements, Exemptions and Ongoing Registrant Obligations (31-103CP), the process of collecting and updating a client’s KYC information must amount to a meaningful interaction between the client and the registrant. Although standardized questionnaires or other tools may be used to facilitate the collection of KYC information and to document that information, the registrant remains responsible for the KYC process. The KYC obligation does not vary depending on the medium through which a registrant interacts with its client to gather the necessary information.
4
information in CSA Staff Notice 31-342 – Guidance for Portfolio Managers Regarding Online Advice.
However, we also acknowledge that Data Portability is emerging as an important component of modern data governance, offering significant potential to reshape how individuals interact with financial service providers. By enabling users to seamlessly transfer their personal data from one firm to another, Data Portability can reduce the costs and barriers associated with switching or using additional service providers, thus promoting competition and empowering consumers. The concept of Data Portability is particularly relevant in an era where individuals generate vast amounts of personal data across multiple platforms.
Data Portability Developments in Canada and Internationally Allowing individuals to take control of their data and transfer it between organizations not only enhances consumer choice but also supports the broader goal of data privacy reform. Jurisdictions around the world, including Canada, are incorporating Data Portability as a key feature in their updated data privacy laws. It is expected that Data Portability will enhance access to and sharing of data across digital services and platforms, empowering users to play a more active role in the re-use of their data and helping to stimulate competition and innovation by fostering interoperability. Data Portability can also streamline operations by reducing the time and effort required to gather client information. In the financial markets, Data Portability allows investors to transfer their data between different financial service providers more easily. 4
The following are some examples of how Data Portability is arising in the Canadian financial industry:
Consumer-Driven Banking: In April 2024, Department of Finance Canada, published the consumer-driven banking framework, also known as open banking, that would allow consumers and small businesses to direct their financial institutions to share their data with third party providers of their choice using secure application programming interfaces for agreed-upon durations and purposes. 5 The introduction of consumer-driven banking in Canada would reflect a shift in several jurisdictions globally toward open banking—a model of banking fundamentally reliant on Data Portability. Jurisdictions such as the United States, Brazil, India, Singapore, Bahrain, the UK, Hong Kong, and Australia have already implemented similar frameworks, embedding open banking principles into their laws and regulations. 6
Although the first portion of the legislation has been introduced, consumer-driven banking is not yet available in Canada. 7 If it becomes available in the form proposed in the 2024 Federal Budget, the Financial Consumer Agency of Canada (FCAC) will be
4 Ibid. 5 Budget 2024: Canada’s Consumer-Driven Banking Framework - Canada.ca. 6 The U.S. Consumer Financial Protection Bureau also recently unveiled open banking rules that would make it easier for consumers to switch between financial services providers. https://www.consumerfinance.gov/about-us/newsroom/cfpb-finalizes-personal-financial-data-rights-rule-to-boost-competition-protect-privacy-and-give-families-more-choice-in-financial-services/. 7 Bill C-365, An Act respecting the implementation of a consumer-led banking system for Canadians, is currently in consideration for the Standing Committee on Finance in the House of Commons.
5
tasked with oversight of this new framework. The FCAC has said it will aim to allow Canadians safe access to innovative products and services that can help them better manage their finances and improve their financial well-being. This may include introducing new technical standards for accessing financial technology applications allowing Canadians to build their credit by using transaction data, making it easier to get a loan, rent an apartment or qualify for a mortgage. 8 Because investment product data is included in the scope of data 9 to be shared under the proposed consumer-driven banking framework within Canada, if implemented, the new consumer-driven banking regime may have broader implications for the securities industry.
Quebec Right to Data Portability: In Quebec, a new right to Data Portability came into effect on September 22, 2024. 10 It was introduced by the Act to modernize legislative provisions respecting the protection of personal information that modified the statutory right of access to personal information. 11 Upon request, public and private organizations will be required to communicate to individuals computerized personal information they have collected from them. This communication may also be made to a person or organization authorized to collect the information, at the request of the applicant. This right applies to computerized personal information collected directly or indirectly from the individual, excluding data obtained from third parties or created by the organization. Computerized personal information may include data such as identifiers, health data, email, financial data and phone numbers. This new portability right is applicable to public bodies and persons carrying on an enterprise in Quebec, commercial in nature or not, that hold personal information on an individual. 12
8 <https://www.canada.ca/en/financial-consumer-agency/news/2024/06/fcac-welcomes-new-mandate-to-oversee-canadas-consumer-driven-banking-framework.html> 9 See section 4 of Division 16 Consumer-Driven Banking Framework of Government Bill (House of Commons) C-69 (44-1) - Royal Assent - Budget Implementation Act, 2024, No. 1 - Parliament of Canada. 10 Data Portability An Act to modernize legislative provisions as regards the protection of personal information (SQ 2021, c 25). 11 The statutory right to access information is provided under the Quebec Act respecting the protection of personal information in the private sector and the Quebec Act respecting Access to documents held by public bodies and the Protection of personal information. 12 For more information, please visit Vos droits | Commission d’accès à l’information du Québec (only in French) or refer to publications by various legal firms on Québec’s new Data Portability right.
Test Overview
6
Figure 1 Examples of e-KYC portability Example 1: a potential e-KYC solution provider A live testing e-KYC environment could involve the following participants: An e-KYC portability service provider that collects and holds client personal information, who is then authorized or directed by the client to release some or all of that personal information to registrants periodically in order to facilitate processes of the registrant, such as account opening or annual maintenance. Clients who are interested in utilizing an e-KYC portability service provider to streamline account opening and to periodically check for updates. These clients may find a benefit from reduced friction in the KYC process, particularly if the client is considering a number of different unique investment products that are only available from certain registrants. Registrants that become part of a network of organizations that have partnered with one or more e-KYC portability service providers.
Example 2: direction by client to release KYC information to another registrant Another example is a circumstance where: a client has an existing relationship with an investment dealer (existing registrant). They wish to maintain the relationship with the existing registrant but also wants to invest in a product only available with an exempt market dealer, such as a crowdfunding portal (crowdfunding portal). Instead of undergoing the standard onboarding process with the crowdfunding portal and completing all of its standard intake forms, the client directs and gives their consent to the existing registrant to release certain KYC information currently held by the existing registrant to the crowdfunding portal directly.
In both examples, the information is collected by the receiving registrant, who then reviews the information to determine what additional information is needed from the client to fulfill its KYC obligation. Once the information gap is determined, the receiving registrant engages in a meaningful interaction with the client to obtain the additional information. The receiving registrant will then be in a position to provide its suitability assessment.
Please note that these are only two potential applications of e-KYC portability, and that in addition to existing applications, other applications may be developed over time.
CSA staff have been monitoring global and Canadian developments in respect of Data Portability and are interested in investigating whether there are impediments in securities legislation constraining the implementation of Data Portability solutions.
7
BCSC and ASC Survey In Spring 2024, BCSC and ASC staff conducted a survey with registrants in their respective jurisdictions to better understand the developments and challenges registrants face with digital ID (Digital ID) when used in the KYC process. The survey explained Digital ID to mean more than simply an electronic form of identification that can be used to authenticate and verify the identity of individuals or entities online. The survey indicated that Digital ID may encompass a wide range of technologies and methodologies designed to securely and reliably collect personal, financial and other information that could be used by a registrant in its activities.
The survey results indicated that registrants were interested in expanding their use of Digital ID as described to assist with their compliance obligations; however, the availability and affordability of technology solutions were a challenge. The survey also indicated that market participants were interested in participating in a testing environment focused on Digital ID solutions and there may be a market in BC and Alberta for e-KYC solutions. We also note the following results from the survey:
161 participants in BC and Alberta responded to the survey. The three most significant challenges in their current KYC processes were: o availability of automation; o lack of affordable technology; and o ability to balance the depth and quality of KYC information. Time cost to employees was the most common cost-related complaint regarding existing KYC compliance. 46% of participants indicated that they intend to expand their use of Digital ID in the next three years. 48% of participants indicated that they were interested in participating in a test focused on Digital ID solutions to assist registrants with meeting KYC and suitability obligations.
Test Phases The CSA's initiative to explore Data Portability and e-KYC processes will be conducted in three distinct phases, each designed to maximize meaningful outcomes and direction for the next phase. This approach is intended to help the CSA better understand an optimal regulatory approach for market participants subject to Data Portability obligations If appropriate, it may also involve real-world testing of e-KYC portability and its role in enhancing Data Portability within the financial sector.
Phase 1: Introduction of the CSA Collaboratory and Consultation on Data Portability and e-KYC (90 days)
The first phase is the issuance of this discussion paper and consultation questions on Data Portability and e-KYC. Our aim is to use the feedback obtained in response to these consultation questions to identify participants and topics most relevant for discussion in the next phase, an industry consultation forum.
8
Phase 2: Industry Consultation Forum The second phase will be a consultation forum hosting thematic industry roundtables and other communication forums.
The consultation is expected to center on several key themes, including the effectiveness of e-KYC in mitigating financial risks, challenges related to the centralization of customer data, privacy concerns, and potential regulatory barriers to the widespread adoption of e-KYC. Additional topics may include the role of technological innovations such as artificial intelligence and blockchain in enhancing e-KYC processes and understanding whether other areas of securities legislation may be potentially impacted by Data Portability obligations in some jurisdictions. We would also want to better understand the demand for an e-KYC portability solution and whether there are service providers that can participate in a live testing environment in a manner that would not unduly compromise investor protection.
To gauge the effectiveness of e-KYC and its alignment with broader regulatory objectives, the CSA intend to use this discussion forum to define specific success measures. These may include the reduced friction experienced by registrants during the customer onboarding process, the reduction of fraud and identity theft risks, and improvements in client satisfaction resulting from Data Portability. The consultation will seek input on how best to measure these outcomes and how e-KYC can be implemented in a way that maximizes market efficiency while maintaining investor protection. The feedback gathered during this phase will inform the next steps of the initiative and help identify any additional areas requiring regulatory attention.
Phase 3: Live Testing Environment (if necessary and appropriate) If the feedback obtained from Phase 1 and Phase 2 reveals sufficient interest and identifies a clear path forward, the participating jurisdictions may proceed with a Phase 3 live testing environment. This controlled environment could allow businesses to trial e-KYC solutions in real-world scenarios under the oversight of the CSA. The objective of live testing would be to assess how e-KYC solutions perform in practice, especially in terms of effectively meeting Data Portability obligations, security, and compliance with existing regulations.
Should this phase occur, the live testing environment would be designed to minimize risks while providing valuable insights into the practical application of e-KYC technology. Results from this phase may help the CSA identify if there are impediments in securities legislation constraining the implementation of Data Portability, and to refine its approach, ensure alignment with industry needs, and contribute to the development of robust regulations for the Canadian financial ecosystem.
Consultation Questions on Data Portability and e-KYC This section is the first step in our wider industry consultation on Data Portability and e-KYC. We will consider all comments received and we encourage those who are commenting to limit their answers to those questions that are relevant to your organization or expertise.
Comments must be submitted by May 19, 2025. Detailed instructions regarding how to submit comments are included at the end of this discussion paper.
9
1. Compliance with Data Portability Requirements under Existing Law We expect that a number of industry participants, including some registrants and reporting issuers, are already subject to explicit Data Portability requirements. We would like to better understand from these industry participants what operational changes they have considered and implemented (or propose to implement) in order to meet new Data Portability requirements. We also understand that in some cases, the organizations are not required to comply with Data Portability obligations. If, for example, compliance results in the organization incurring significant costs or dealing with significant complexities to communicate the individual’s personal information in a structured and commonly used technological format. If such a determination has been made, we would be interested in knowing what some of these costs or complexities are, and whether they arose from complying with securities legislation.
In addition, we have identified the porting of client information upon request in order to facilitate opening up an account with a different registrant as one scenario where the Data Portability obligation may be triggered. However, we are aware of and realize that there may be other areas in Canadian capital markets where a client may request that their personal information be ported to or shared with a third party. We would also be interested in understanding other common scenarios, and how your organization has prepared for such other scenarios.
Consultation Questions 1. What changes have you made in your organization (or that you expect to implement) to comply with existing or forthcoming Data Portability obligations, and what challenges have you encountered?
2. In what circumstances has there been a conclusion that the costs and complexities in implementing Data Portability resulted in the organization not being required to comply with such obligations? Are any of these related to securities legislation?
3. How do you anticipate that Data Portability will impact the investor experience, particularly in terms of reducing friction during transitions between service providers? If clients have already begun exercising their rights by utilizing these services, what has the feedback been so far?
4. What are the circumstances that you anticipate having to transfer data with external parties? How prevalent are these circumstances? Are there other regulatory obligations in securities legislation that market participants anticipate can be better satisfied through use of Data Portability?
2. Demand and Benefits of e-KYC and Other Data Portability Solutions We are aware of a number of e-KYC solutions in Canada and globally. We are also aware that a number of service providers in the digital identity authentication space have been considering providing e-KYC portability services in the future. In general, as noted above in the section
10
entitled “BCSC and ASC Survey”, we understand that there may be a market in those jurisdictions for solutions that expand registrant’s use of Digital ID in the next three years.
Before the participating jurisdictions consider launching a live testing environment to test e-KYC portability solutions, CSA staff would like to better understand how this type of product would fit into Canadian capital markets and whether market participants would utilize this product. We note that the KYC information transferred may be more than just third-party identity verification /business card information but also other information such as financial statements, existing account information, credit reporting and other information relating to the client’s financial circumstances, investments needs and objectives, investment knowledge, risk profile and investment time horizon. We are also aware that in its 2025-2027 strategic plan, the Canadian Investment Regulatory Organization (CIRO) has stated that it intends to consider pursuing the standardization of KYC information collected by firms to promote greater consistency in suitability determinations.
in Figure 1 above, we noted two examples of a type of e-KYC service provider; however, we acknowledge that there may be different ways to integrate e-KYC portability into Canadian capital markets. We invite participants to bring attention to other business models they may be considering so that we can consider whether there are regulatory impediments or guidance that need to be considered on how registrants can utilize an e-KYC portability solution while still complying with securities legislation.
Consultation Questions 5. What motivated you to consider adopting an e-KYC or other Data Portability solution and what features and improvements would you like to see in the future? Alternatively, if your organization would not consider adopting an e-KYC or Data Portability solution, what is the principal reason for not doing so?
6. In what ways could e-KYC and Data Portability contribute to broader inclusion of investors? What steps can be taken to ensure that individuals who may have limited access to traditional identification systems are not disadvantaged by these innovations?
7. Are you aware of other e-KYC or Data Portability business models being considered? 8. What sorts of information do registrants anticipate transferring? What types of data would it be useful for registrants to obtain upon new client onboarding or at other times? Is there certain data that registrants have concerns with being required to transfer?
9. Are there circumstances in which transfer of data enhanced by other market participants to provide additional value, such as risk tolerance assessments, would be appropriate, and if so what are those?
11
3. Regulatory Barriers and Mitigating Investor Risk Under Canadian securities legislation, registrants act as gatekeepers and maintain the integrity of the capital markets. As part of their gatekeeper role, registrants have a number of core obligations, including an obligation to take reasonable steps to ensure that they have sufficient information about a client to indicate whether an investment is suitable for the client, based on the factors set out in section 13.3 of NI 31-103.
KYC information is essential for determining suitability, and the suitability obligation protects the client, the registrant and the integrity of the capital markets. The KYC obligation requires registrants to take reasonable steps to obtain and periodically update information about their clients. The KYC process is an ongoing one which does not end after the initial collection of information is complete.
As discussed in greater detail in the companion policy to NI 31-103, the process of collecting and updating a client’s KYC information must amount to a meaningful and documented interaction between the client and the registrant. This companion policy also indicates that:
responsibilities arising from the KYC obligation cannot be delegated, a registrant may not rely on a third party for KYC information, registrants are expected to both establish the identity of, and conduct due diligence on, their clients under the KYC obligation, and the registrant remains responsible for the KYC process.
Consultation questions 10. In your opinion, are there any provisions or requirements in securities legislation or guidance that may create barriers on how your organization can utilize e-KYC or Data Portability solutions? If so, in your view, what is the most appropriate regulatory action that would enable or assist your organization to utilize an e-KYC or Data Portability solution (e.g. specific rule change, additional guidance)?
11. If you have already implemented an e-KYC solution, what specific challenges have you faced in implementing the solution? Have you faced challenges in implementing e-KYC or Data Portability solutions relating to varying regulatory frameworks internationally?
12. To what extent would industry-wide collaboration on Data Portability standards benefit registrants, and how can regulators such as the CSA support this collaborative effort? What challenges or barriers exist in developing and adopting such standards?
4. Privacy and Security Concerns In the theoretical e-KYC portability solution described in Figure 1, Example 1, a third-party data controller would hold personal information received from the subject and would release some or all of that information upon receiving consent or direction from the subject. In Figure 1, Example 2, a Data Portability obligation may require one registrant to release personal data to another
12
organization upon consent or direction from the client. There are a significant number of privacy concerns arising from these events, including the potential for accidental sharing with the wrong parties, cyberattacks, misuse of information by the third party and misuse of information by subsequent holders of personal information in a manner that was not intended by the original consent.
We are aware of scalability issues with traditional KYC processes, particularly where there may be a large number of new clients, each investing relatively limited amounts of money. We think an e-KYC portability solution may help with some of the scalability issues in this circumstance. However, the participating jurisdictions are also seeking to evaluate whether current e-KYC technology can scale to accommodate large customer bases while maintaining security and accuracy.
We are also assessing how registrants ensure informed consent for data collection and portability and how investors can rectify errors in their e-KYC profiles, and address unauthorized use of their data.
Consultation questions 13. How does a registrant ensure that investors are fully informed and able to provide meaningful consent for the use of e-KYC and other Data Portability solutions? What improvements could be made to better inform customers about their data ownership rights and portability options? What measures could be taken to enhance customer understanding and control over their data?
14. What risks arise from the use of e-KYC and other Data Portability solutions? What regulatory measures or industry best practices would be most effective in addressing those risks? How can the CSA help ensure that investors are protected while enabling innovation in this space?
15. Do you see any security or accuracy issues arising with respect to utilizing an e-KYC or other Data Portability solutions for a large number of clients?
16. How do current industry standard KYC processes mitigate risks such as deepfakes, synthetic identities, identity fraud, and regulatory non-compliance, and what additional measures or technologies could be implemented to enhance protection against these threats?
5. Technological Standards and Innovations The establishment, maintenance and oversight of a technical standard (or, potentially, standards) may be necessary in order to facilitate an efficient transfer of information between registrants. We are also aware that a single technical standard for data sharing is being considered as part of the Canadian consumer-driven banking regime in a manner that ensures that the standard is secure, open and accessible. This is intended to ensure that the consumer-driven banking framework meets key Canadian public policy objectives, including interoperability with standards in non-Canadian jurisdictions, providing a unified national
13
standard, and ensuring that data is exchanged securely. 13 Similarly, if registrants adopt e-KYC portability services (whether voluntarily or through regulatory direction) a unified comprehensive technical standard may be more efficient, secure and less burdensome.
The participating jurisdictions are also seeking to evaluate the risk of centralized data. Centralized storage of sensitive customer information may create security vulnerabilities due to a single point of failure. We are consulting industry to better understand whether decentralized models or enhanced security measures (e.g., encryption, decentralized ledgers) are implemented and what the results of their implementation are.
We are also interested in the potential role of emerging technologies (e.g., blockchain, AI) to enhance the security, efficiency, and scalability of e-KYC systems.
Consultation Questions 17. What technological infrastructure is required to support efficient Data Portability, and how does the cost of implementation impact your business? Are there specific technologies or innovations that could help reduce costs while maintaining security and compliance?
18. How do third-party service providers (e.g., data aggregators, e-KYC platforms) influence the Data Portability process? What role should these third parties play in facilitating secure and compliant data transfers, and what regulatory oversight might be necessary?
19. How do you foresee blockchain or AI impacting the implementation of data portability and e-KYC? What steps can regulators take to prepare for these technological advancements while maintaining market integrity?
20. Data Portability often involves the transfer of customer data across jurisdictions. What regulatory or operational challenges do you encounter when facilitating cross-border data transfers, and how can regulatory frameworks better support such transfers in a compliant and secure manner?
21. To what extent would standardized data formats (such as those proposed by the consumer-driven banking framework) facilitate Data Portability between registrants? Are there existing frameworks or standards that should be adopted or modified to improve interoperability? Are there risks or disadvantages to such standardization?
13 See section 2.10 of Budget 2024: Canada’s Consumer Driven Banking Framework (https://www.canada.ca/en/department-finance/programs/financial-sector-policy/open-banking-implementation/budget-2024-canadas-framework-for-consumer-driven-banking.html) and sections 2.9 and 2.10 of the 2023 Fall Economic Statement: Policy Statement on Consumer-Driven Banking.
14
6. CSA Collaboratory As noted above, the CSA Collaboratory aims to enable companies to test ideas while minimizing risk exposure and negative impact on capital markets. The environment is suitable for cases where CSA members have determined that risks can be managed effectively within well-defined boundaries. This environment may be particularly suited for cases where developments in technology may lead to emerging business models.
Consultation Questions 22. Would you be interested in participating in either the Phase 2: Industry Consultation Forum or Phase 3: Live Testing Environment? If you are interested in participating in the live testing environment, how do you think you will be able to participate? (e.g. as a registrant using potential e-KYC services, or a potential e-KYC service provider)?
23. Although this first theme deals with emerging issues related to data portability and e-KYC, CSA staff are interested in developing further cohort-based testing environments. To that end, we are interested in understanding if there are emerging areas for the CSA to consider in subsequent cohorts. Please let us know if there area any particular areas of interest for us to further consider in future Testing Environments.
Comment Process and Next Steps The participating jurisdictions invite participants to provide input on the issues outlined in this discussion paper. You may provide written comments in hard copy or electronic form.
We encourage commenters to provide comments on only those questions to which they can provide the most meaningful contribution. We will use this feedback to inform our understanding of the issues described above and identify areas of focus for Phase 2.
Once the participating jurisdictions have considered the feedback from Phase 1, staff from the participating jurisdictions will provide an update on the CSA Collaboratory website at https://www.securities-administrators.ca/collaboratory/. This update is expected to identify which topics we will focus on in Phase 2 and a schedule for these consultations.
Please submit your comments in writing on or before May 19, 2025. Address your submission to all of the CSA as follows: British Columbia Securities Commission Alberta Securities Commission Financial and Consumer Affairs Authority of Saskatchewan Manitoba Securities Commission Financial and Consumer Services Commission, New Brunswick Superintendent of Securities, Department of Justice and Public Safety, Prince Edward Island Nova Scotia Securities Commission Office of the Superintendent of Securities, Service NL Northwest Territories Office of the Superintendent of Securities
15
Office of the Yukon Superintendent of Securities Nunavut Securities Office
You may submit your comments at https://www.securities-administrators.ca/consultations/. Your comments will be distributed to the participating CSA members.
Questions Please refer your questions to any of the following: British Columbia Securities Commission Khalil Jessa Elliott Mak Senior Legal Counsel, Senior Legal Counsel, Capital Markets Regulation Corporate Finance kjessa@bcsc.bc.ca emak@bcsc.bc.ca
Alberta Securities Commission Mohamed Zohiri Legal Counsel and FinTech Adviser Advanced Research and Knowledge Management (ARKM) Mohamed.Zohiri@asc.ca
Financial and Consumer Services Commission (New Brunswick)
Jake Calder Manager of Policy Securities Jake.Calder@fcnb.ca
Manitoba Securities Commission Chris Besko Executive Director chris.besko@gov.mb.ca
Chelsea Tolppanen Legal Counsel Advanced Research and Knowledge Management (ARKM) Chelsea.Tolppanen@asc.ca
Financial and Consumer Affairs Authority of Saskatchewan
Graham Purse Legal Counsel Securities Division graham.purse2@gov.sk.ca
Nova Scotia Securities Commission Cynthia Tambago-Alday Deputy Director, Registration & Compliance Cynthia.Tambago-Alday@novascotia.ca