Financial Archives - IPOsgoode /osgoode/iposgoode/category/financial/ An Authoritive Leader in IP Mon, 15 Aug 2022 16:00:00 +0000 en-CA hourly 1 https://wordpress.org/?v=6.9.4 OSFI Releases Final Version Of Guideline B-13: Technology And Cyber Risk Management /osgoode/iposgoode/2022/08/15/osfi-releases-final-version-of-guideline-b-13-technology-and-cyber-risk-management/ Mon, 15 Aug 2022 16:00:00 +0000 https://www.iposgoode.ca/?p=39894 The post OSFI Releases Final Version Of Guideline B-13: Technology And Cyber Risk Management appeared first on IPOsgoode.

]]>

M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was originally posted on  on July 27, 2022.


On July 13, 2022, the Office of the Superintendent of Financial Institutions (OSFI)  its final Guideline B-13: Technology and Cyber Risk Management (Guideline B-13), which describes OSFI’s expectations for how federally regulated financial institutions (FRFIs) should manage technology and cyber risks.

OSFI views the large increase of cyber incidents in Canada as an urgent call for FRFIs to bolster their technology and cyber risk management practices. Guideline B-13 is OSFI’s answer to this call and provides a flexible, principle-based regulatory framework for FRFIs to strengthen their cybersecurity posture with strategies that account for their size, nature, scope, and complexity.

Guideline B-13 is the final result of an extensive consultation process that started in September 2020 and included an initial draft Guideline B-13 in November 2021, as previously reported by the E-TIPS® Newsletter Ի. The final Guideline B-13 takes a more streamlined approach than the previous iteration and is organized around three “domains” as opposed to the first draft’s five-domain structure. Each domain sets out specific outcomes for FRFIs to achieve in order to align with OSFI’s expectations:

  1. Governance and Risk Management: Technology and cyber risks should be governed by clear accountabilities and structures, and comprehensive strategies and framework.
  2. Technology Operations and Resilience: The FRFI has a technology environment that is stable, scalable, and resilient. The environment should remain current and supported by technology operating and recovery processes that are “robust and sustainable”.
  3. Cyber Security: Guideline B-13 requires the FRFI to implement a technology posture that maintains the confidentiality, integrity, and availability of its technology assets.

Guideline B-13 is set to come into effect on January 1, 2024, which gives FRFIs time to review the framework and ensure that they meet compliance.

The post OSFI Releases Final Version Of Guideline B-13: Technology And Cyber Risk Management appeared first on IPOsgoode.

]]>
The Future is Funding? Women Receive Just 2% From a Big VC Funding Year /osgoode/iposgoode/2022/02/15/the-future-is-funding-women-receive-just-2-from-a-big-vc-funding-year/ Tue, 15 Feb 2022 17:00:49 +0000 https://www.iposgoode.ca/?p=39064 The post The Future is Funding? Women Receive Just 2% From a Big VC Funding Year appeared first on IPOsgoode.

]]>
Hand plucking money off a plant

Photo by Mohamed Hassan ()

Meena AlnajarMeena Alnajar is an IPilogue Writer, IP Innovation Clinic Fellow, and a 2L JD Candidate at Osgoode Hall Law School.

2021 was a big year for innovation and small businesses—venture capital (“VC”) funding reached an all-time high with higher funding in the US than the total raised in 2020. are investors who provide funds to small businesses and start-ups that exhibit exceptional growth potential based on market studies. In return, investors get equity in the company and may have a say in future decisions. It is an increasingly and fast way to fund new businesses. Yet despite this growth, women-founded companies receive just a small cut of this large investment. In particular, women-founded companies earned only percent of the . What stands between women’s ideas and the capital that helps them flourish? Industry barriers and sociocultural changes may provide some answers.

With unemployment on the rise, several studies find women are disproportionately affected by industry setbacks. A study found that women were 1.8 times more vulnerable to lose work than men in the pandemic, which may have made investors nervous to fund many women-led businesses this year. Beyond the pandemic context, some attitudes within the VC industry that may also drive the disparity between men and women’s VC funding.

In the industry, gender stereotypes not only create a barrier to hiring women in the start-up space, but also seek to discredit a woman’s value when pursuing certain ventures. For instance, , CEO and Co-Founder of the venture-backed tech company Vivoom, noted that “Male VCs … are very comfortable now giving female entrepreneurs capital for ”, like the stereotypical household and baby products, but hesitate to fund cutting-edge software and technology founded by women. While women are now welcome in the venture space, there seems to be only certain rooms they can enter if they want to be well-funded by male VCs. Those in control of the funds seemingly control the gender disparity in VC funding of certain companies. Could the solution to the disparity be to encourage more women to act as investors?

The disparity in funding women-led ventures could stem from the fact that women make up only 6.3% of investors, based on . However, simply including more women as investors is unlikely to alleviate the disparity observed in VC funding. Women-identifying investors face problems when attempting to back ventures. Since women also experience gender disparity in business leadership, women who are investors are less likely to have been . Entrepreneurs to accept money from (and relinquish equity to) investors without this experience. The proportion of women as venture capitalists is not the only issue; how women venture capitalists are perceived by entrepreneurs is also problematic. On the surface, women-identifying VCs have investment success rates than men. Upon further examination, this performance difference is venture selection, but rather the VC firm’s features such as . Selecting women-identifying investors is not a proven solution to alleviating gender disparity. However, co-workers and entrepreneurs supporting women investors in their work environments can further women-led VC success.

The gender disparity affects several stages of the VC pipeline, from investor disparities to the lack of women-led VC in prominent sectors like tech. To close this gap, business institutes recommend of a small business. For example, if a start-up classifies itself as a social impact venture, investors should utilize the peer-assessment model instead of estimating capital flow to determine the “investability” of that venture. In addition, having positions may overcome stereotypes and biases from investors by providing evidence that women can lead successful businesses.

The gender disparity not only hinders women-led VC potential but also dismisses women-led VC’s success in the market. found that women-led start-ups can deliver high revenues, nearly twice the amount of every dollar invested. Further, women-led businesses are to employ women and their businesses are more likely to focus on and employee relationships. When you invest in women, it propagates into more opportunities for women and positive contributions to societal issues like labour relations. Limiting women’s access to funding could deprive us from innovative ideas and employment opportunities. Women have been driving exceptional businesses in the last decade and can continue to do so with greater investment. VCs should therefore consider looking beyond stereotypes and invest in women, to invest in better futures.

The post The Future is Funding? Women Receive Just 2% From a Big VC Funding Year appeared first on IPOsgoode.

]]>
Eli Lilly v. Canada: Investor-State Arbitration Is an Open Gate for the “Patent Trolls” /osgoode/iposgoode/2017/11/05/eli-lilly-v-canada-investor-state-arbitration-is-an-open-gate-for-the-patent-trolls/ Sun, 05 Nov 2017 22:18:35 +0000 http://www.iposgoode.ca/?p=31071 In 2017, Canada won the dispute against the US-based pharmaceutical company Eli Lilly in investor-state arbitration (ISA). Foreign investors can sue sovereign governments in ISA in case of mistreatment, such as, for example, expropriation, a violation of fair and equitable treatment and discrimination.  To succeed in its claim, the investor should show that the state […]

The post Eli Lilly v. Canada: Investor-State Arbitration Is an Open Gate for the “Patent Trolls” appeared first on IPOsgoode.

]]>
In 2017, Canada won the dispute against the US-based pharmaceutical company in investor-state arbitration (ISA). Foreign investors can sue sovereign governments in ISA in case of mistreatment, such as, for example, expropriation, a violation of fair and equitable treatment and discrimination.  To succeed in its claim, the investor should show that the state violated the provisions of an international investment agreement (IIA) such as, for example, the .

brought its claim after the Canadian courts revoked two of the company’s patents on the basis that these patents lacked utility. The courts applied “” to invalidate the patents on the basis that the patents lack . In ISA,   argued that the Canadian test for utility of the patent is arbitrary “judge-made law” and thus constitutes a violation of Canada’s international obligations under NAFTA. The company advanced its challenge against Canada on two accounts. First, Eli Lilly claimed that the judicial interpretation of utility in Canada (the so-called “promise doctrine”) contradicts the meaning “capable of industrial application” under NAFTA, Chapter 17. Second, the company alleged that Canada’s utility standard has abruptly changed over the years. According to Eli Lilly, such “dramatic” change in the judicial interpretation of the utility standard is problematic because it violates Chapter 11 of NAFTA. Both arguments questioned the traditional role of the domestic courts in interpreting and applying the patentability criteria. Ultimately, Eli Lilly’s argument failed in ISA. In short, the ISA arbitrators concluded that failed to produce sufficient evidence to support its allegations.

For the Government of Canada, however, it may be too early to celebrate this victory. The reasons become evident after appreciating the context of the Eli Lilly’s claim. First, the Eli Lilly’s dispute lasted more than five years. NAFTA does not provide parties to a dispute with procedural mechanisms to dismiss the claims early, akin to the summary judgment or a failure to state a claim provisions in common law jurisdictions. Accordingly, NAFTA permits claims that may eventually lack any legal or factual foundations without providing an opportunity to  curb such claims early to minimize the costs. Second, the tribunal did not explicitly address whether a change in the judicial interpretation of the state’s patent law can potentially violate this state’s international legal obligations, including those under IIAs. In practice, it means that the doors for claims similar to Eli Lilly’s remain open. The consequences are significant for states parties to ISAs. to defend the investment claims average at US 5 million dollars per one dispute. Losing such a claim is an even more expensive option for states for two reasons. First, the monetary costs may be substantial. For example, Eli Lilly demanded in damages. Second, losing a claim may result in reputational harm for a state as a potential destination for foreign investment. As a result, some states prefer a settlement of the dispute over facing a foreign investor in the ISA process.

These factors combined create a structure that encourages foreign investors to bring IP claims in ISA against states in hope to achieve a favourable settlement in a fashion similar to the “patent trolls”.  The claims similar to Eli Lilly’s can become a tool for speculation. In particular,  the claimants can allege that the states’ patent laws dramatically change and such change constitutes a violation of an applicable IIA. If an effective mechanism for the early dismissal is not available, a state has to defend its claim for a prolonged period of time and face substantial costs. Some states, however, lack financial or expert capacity to uphold such defence. From a policy perspective, the concern the Eli Lilly’s type claims may inspire foreign investors to file claims against states not to vindicate their property rights, but rather to use such claims as a bargaining chip to achieve profitable settlements. Such procedural use of IP rights (and particularly patents) fundamentally contradicts the purpose of the national IP systems that  grant IP rights for the benefit of society and not merely “”.

The post Eli Lilly v. Canada: Investor-State Arbitration Is an Open Gate for the “Patent Trolls” appeared first on IPOsgoode.

]]>
Towards an EU-wide strategy on Fintech /osgoode/iposgoode/2017/04/19/towards-an-eu-wide-strategy-on-fintech/ Wed, 19 Apr 2017 16:24:01 +0000 http://www.iposgoode.ca/?p=30580 The re-posting of this article is part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media in a Comparative Perspective. On March 23 the European Commission organized a conference devoted to institutions, regulators, professionals and scholars from all Europe  on ‘#FinTechEU – Is EU regulation fit for new financial technologies?’. The conference […]

The post Towards an EU-wide strategy on Fintech appeared first on IPOsgoode.

]]>
The re-posting of this is part of a cross-posting collaboration with : Law and Policy of the Media in a Comparative Perspective.

On March 23 the European Commission organized a conference devoted to institutions, regulators, professionals and scholars from all Europe  on .

The conference was also the occasion for the Commission to announce an .   The existing EU legislative framework on financial services for consumers is considerable and therefore the Commission does not foresee the adoption of fresh legislation. The innovations in the retail financial services determined by the burst of Fintech require instead to enforce and adapt the existing applicable rules to the new technological scenario. Online payments, robo-advisory, P2P lending and virtual coins are only some examples of such disruption which proposes new legal challenges at all levels.

The Action Plan focuses on two main issues:

  1. cross-border provision of services across the EU single market, by enhancing the eIDAS regulation infrastructure (which enables consumers to be recognized via an electronic identification system) on one hand and, on the other, by introducing common creditworthiness assessment standards;
  2. consumer protection and in particular pre-contractual disclosure requirements in light of the new technologic environment.

In the context of the Action plan, the Commission launched a public consultation on ‘Fintech: a more competitive and innovative European financial sector’ (is the consultation document) to collect the stakeholders’ views on the following policy objectives that according to the Commission constitute the main opportunities, and the relevant challenges, related to Fintech:

  • fostering access to financial services for consumers and businesses;
  • reducing operating costs and increase the efficiency of services;
  • improving market competitiveness by removing or lowering entry barriers;
  • finding an appropriate balance among data sharing, transparency, security and privacy needs.

Based on the and the work of the EU Fintech task force, the Commission will propose an European strategy for FinTech, to develop and improve the most promising sector in financial services area.

The UE Commission’s interest in Fintech as a new frontier of financial services is meaningful. Also, it should be stressed that the Commission decided to focus on the characteristic areas of the European action, such as creation of an integrated internal market and consumer protection.  To this purpose the consultation document is particularly interesting as it presents the main challenges raised by the innovations in the financial services.  From the use of AI and big data analytics for automated financial advice and execution, to the use of sensor data for risk evaluation in the Insurtech sector, to the Regtech impact on compliance costs, to the use of DLT in financial services, to the regulatory barriers for new market entrants, etc.

According to the Commission the EU policies on Fintech should be:

  1. Technology neutral – to ensure that the same activity is subject to the same regulation;
  2. Proportional;
  3. Integrity-enhancing with a focus on market transparency to the benefit of consumers and businesses.

In the above depicted scenario, consumers’ protection appears to be particularly challenging. An example is the pre-contractual information allowing consumers to make well-informed choices. In this respect, the spread of online services determines a growing need of simplicity in the access of information.

This aspect, however, will certainly require adapting the existing rules.  An example of this issue is the robo-advisory, where the traditional information asymmetries are combined with significant technological information asymmetries. Do the consumer have to be informed, for instance, about the characteristics of the robo-advisor’s algorithm? How detailed should be consumer information, considering the great influence that the calculation power might have on investment choices?

A first answer to the above questions may be found in the and addressing the issue of disclosure. These guidelines, amended where necessary, might be a model for one of the action of the announced EU Fintech strategy.

The post Towards an EU-wide strategy on Fintech appeared first on IPOsgoode.

]]>
Fintech - Stake a Patent Claim? /osgoode/iposgoode/2016/10/26/fintech-stake-a-patent-claim/ Wed, 26 Oct 2016 20:26:42 +0000 http://www.iposgoode.ca/?p=29867 OVERVIEW Similar to other traditional industries, a digital revolution for financial services is underway. Financial technology, or ‘‘FinTech,” is an accelerating technical sector gaining in popularity with both traditional financial institutions and new market entrants.  Competitors are forming constructive partnerships to collaborate, efficiently develop, and deploy new FinTech products and services. Patents for core technology […]

The post Fintech - Stake a Patent Claim? appeared first on IPOsgoode.

]]>
OVERVIEW

Similar to other traditional industries, a digital revolution for financial services is underway. Financial technology, or ‘‘FinTech,” is an accelerating technical sector gaining in popularity with both traditional financial institutions and new market entrants.  Competitors are forming constructive partnerships to collaborate, efficiently develop, and deploy new FinTech products and services. Patents for core technology provide a mechanism to exclude others from making, using or selling patented technology. A company may also permit use of patented technology by third parties or contribute to a patent pool using various licensing arrangements while still maintaining control of its intellectual property rights. However, recent case law and patent office guidelines make obtaining global patent protection for FinTech an increasingly complex matter.

FINTECH PRIMER

FinTech is transforming the financial sector by supplementing or replacing traditional services, business models and providers. FinTech may create brand new market opportunities or give a competitive edge in relation to traditional offerings. This may have broad ranging implications for diverse stakeholders, including major financial institutions, insurance companies, hedge funds, institutional investors, ratings agencies, audit and accounting firms, regulators, technology companies, consortiums, not-for-profits and start-ups. Indeed, large institutions may be making significant investments upgrading or replacing legacy technology systems with new FinTech products.

 

PAYMENTS

Digital wallet technology is currently already in public use and will likely be employed on a widespread scale in the future. Digital cards include credit cards, debit cards, public transportation cards and other value cards offered by different companies. Mobile technology companies and retailers are entering the payment space with smartphone payment tokens, networks and applications. Digital payment accounts like PayPal™ are also widely accepted on e-commerce platforms and by the public at large, with intramember payment exchanges often not involving traditional financial institutions. Shopify™, for example, is an online and brick-and-mortar transaction platform provider based in Ottawa, and raised $131 million in its initial public offering. Another payment company, Adyen™, is now valued at $2.3 billion that enables Web companies such as Facebook™ and Yelp™ to accept and process payments, and provides mobile-payment tools for clients such as Uber™ and Airbnb™. Finally, Nanopay™, a Toronto-based provider of a payment and loyalty mobile application that combines identity, loyalty and payment into a single-use transaction token for contactless payment, recently acquired the Mintchip™ digital payment platform from Royal Canadian Mint.[1]

 

BLOCK CHAIN

A block chain is a decentralized peer-to-peer network of nodes recording authenticated, encrypted transactions as a distributed public ledger, thereby providing a trust and verification system [2] by using programmed rules to govern the replication of the ledger across the computing nodes of the networks. Initially invented as a solution to the weaknesses of a trust-based model,[3] the increased use and development of block chain infrastructure is changing payment and secure transaction ledgering services by providing increased security, integrity and verifiability of transactions. Currently, public block chain technology may be used under open license with transparency to help third parties understand the technology offering and associated security levels to build interoperable, trusted solutions. Private and hybrid block chain networks are also being developed by companies individually and working together through consortiums.

While block chains are well known as the technology underlying the transaction database for digital currency,[4] block chains can also be utilized in other types of applications. These include verifying proof-of-existence, smart contracts that automatically execute when certain conditions are met, verifying origin and delivery of products, and peer-to-peer exchanges. For example, Slock™ develops technology that combines block chain and the Internet for peers to rent, share or sell ‘‘things” such as parking spots and apartments.

 

LENDING

New lending, investing, and fundraising models are emerging. Indeed, crowdfunding platforms like Kickstarter™ enable an organization or individual to reach out directly to a community to raise capital for a business, product or creative endeavour. SeedsUp™, another example, is a Canadian equity crowdfunding platform for limited private placement offerings for early stage businesses.

FinTech also generates financial inclusion and opens new markets through the provision of microfinance solutions, which offers small amounts of financing to new customers that may not have been qualified for traditional funding sources.[5] A prime example of this is M-Pesa™, a mobile-phone microfinancing service that launched in 2007 by Vodafone™ for the largest mobile network operators in Kenya and Tanzania — Safaricom™ and Vodacom™.

New personal investment solutions are also emerging. Toronto start-up Borrowell™ offers online lending technology to provide low-interest personal and business loans, and the low-fee automatic rebalancing system by another fellow Toronto start-up, Wealthsimple™, recently raised $10 million in Series A funding
from Power Financial Corporation.[6]

 

REGULATORY COMPLIANCE AND AUDIT

Establishing fairness and trustworthiness of financial transactions becomes increasingly complex as different types of financial transactions emerge. Organizations expend significant resources to adhere with evolving regulatory requirements.[7]  The rise of FinTech provides innovative tools that may help alleviate the burdens of such compliance, validation and verification.

Companies can leverage technology such as distributed ledgers, block chains, encryption, automation, and others to perform tasks which otherwise would have been impractical or impossible with traditional methods. While these technologies are starting to gain in capability and acceptance, it is a challenge to understand how evolving jurisprudence and regulatory activities apply to FinTech innovation. Legal requirements may develop out of step with technology, and compliance may be uncertain where regulation is drafted around outdated or obsolete technologies.

 

The full article is available in the latest issue of the , volume 28(3), pp. 303-314.

Maya Medeiros is a lawyer, patent agent, and trade-mark agent at Norton Rose Fulbright LLP Canada (Toronto). Maya Medeiros’ practice focuses on the creation and management of intellectual property assets in Canada, the United States and around the world.

Brian Chau is an Associate at Norton Rose Fulbright, focusing on intellectual property, primarily patent prosecution, strategy, and portfolio management.

 


 

[1] There are several other examples: Adyen also provides point of sale technology for retailers, and Braintree (acquired by PayPal™) provides an online and mobile payment application that aggregates different payment options and currencies, and offers an API for developers.

[2] The Standing Senate Committee on Banking, Trade and Commerce, Digital Currency <http://www.parl.gc.ca/Content/SEN/Committee/412/banc/rms/
12jun15/home-e.htm>.

[3] S. Nakamoto, Bitcoin: A Peer-to-Peer Electronic Cash System (2008).

[4]  A digital currency secured with encryption is a cryptocurrency. A prime example is Bitcoin™, which is the most widely used cryptocurrency-issuing system built on a block chain framework. Cryptography greatly decreases the vulnerability of the block chain to unauthorized or malicious changes.

[5] Many people worldwide, for example, do not have access to traditional banks.

[6] Financial Post, online: <http://business.financialpost.com/entrepreneur/fpstartups/wealthsimple-aims-to-turn-financial-services-industry-on-its-headwith-
new-low-coast-approach-to-investing>.

[7] Dodd-Frank Wall Street Reform and Consumer Protection Act (Pub. L. 111-203, H.R. 4173), Sarbanes-Oxley Act of 2002 (Pub. L. 107-204, 116 Stat. 745).

 

The post Fintech - Stake a Patent Claim? appeared first on IPOsgoode.

]]>
German Regulator Finds Banks’ Data Rules “impede non-bank competitors” /osgoode/iposgoode/2016/08/04/german-regulator-finds-banks-data-rules-impede-non-bank-competitors/ Thu, 04 Aug 2016 16:43:25 +0000 http://www.iposgoode.ca/?p=29566 The re-posting of this article is part of a cross-posting agreement with CyberLex. “Open Banking” is an emerging term in financial services / financial technology that refers, among other things, to the use of open application programming interfaces (“APIs“) enable third party developers to build applications and services around a financial institution. This requires a […]

The post German Regulator Finds Banks’ Data Rules “impede non-bank competitors” appeared first on IPOsgoode.

]]>
The re-posting of this is part of a cross-posting agreement with .

“Open Banking” is an emerging term in financial services / financial technology that refers, among other things, to the use of open application programming interfaces (“APIs“) enable third party developers to build applications and services around a financial institution. This requires a financial institution to throw open the doors to its customer data and allow it to be used by developers and other third party providers. Think of it as an app store for banks, where the apps allow consumers to compare rates, manage their accounts, obtain credit and make payments – all without having to actually engage a bank.

In Europe, this is set to become the norm in early 2018, thanks to the revised which was passed in January. PSD2 is designed to create a more level playing field for third party payment processors by making banks in Europe offer APIs that provide access to account information to third parties.

Some banks are embracing this, and see it as an opportunity to drive value in innovative new ways. Other banks are not as keen, and are taking steps to cut out the interlopers to preserve existing value and protect the customer relationship.

Long before there was a concept of “open banking”, there were similar products available, products that don’t rely on the openness of banking but rather the willingness of an account holder to share his or her login information. Users provide their user IDs and passwords for the financial accounts they want to consolidate, so that the aggregation service can access these accounts to gather their financial information (a process known as “screen scraping”). A single third party web portal then displays the information, dashboard-style.

 

Concern in Canada and the US

In March of 2011, the Financial Consumer Agency of Canada (“FCAC”) issued a , warning Canadians to be aware of the possible risks of disclosing their online banking and credit card information to financial aggregation services. Aside from the obvious data security and privacy risks, the FCAC cautioned that using such a service could also violate the terms and conditions of the account:

Consumers should be aware that if they disclose their online banking information to any other party, including financial aggregators, they may risk losing their protection against unauthorized transactions. Some financial institutions’ user agreements clearly state that users will be responsible for unauthorized transactions if they provide other parties, including financial aggregators, with their passwords and account information.

The FCAC reminded consumers it was their responsibility to manage their online banking and credit card credentials in accordance with the terms of their user agreements, as well as to review their user agreements and to understand their responsibilities thereunder.

In 2015, that a number of US banks had cut off data to these financial aggregators, citing concern that the rising use of such sites will overload bank servers, on top of worries that customer data could potentially be vulnerable to hackers. The aggregators charged that the banks, facing increasing competition from these companies, were becoming too protective of their customer information.

 

Germany Finds Banks’ Data Rules Violate Competition Law

The German competition regulator has now weighed in,  that rules set buy the German Banking Industry Committee violate both German and European competition law by imposing “special conditions for online banking” that mean customers cannot use their PINs (personal identification numbers) and TANs (transaction authentication numbers) in non-bank payment systems.

This, said the German regulator, has “significantly impeded” the use of non-bank providers for online purchases, preventing people from using lower-priced alternatives.

The German Banking Industry Committee had cited security concerns as the basis of the rules but the German  competition regulator (the Bundeskartellamt) dismissed this, saying that “the rules currently used cannot be considered as a necessary part of a consistent security concept of the banks and they impede non-bank competitors”.

Andreas Mundt, president of the Bundeskartellamt, said:

The online banking conditions of the German Banking Industry Committee hinder the offer of new and innovative services in the growing market for payment services in the e-commerce sector. In essence, it is about whether non-bank payment services can also use PINs and TANs. We have taken careful consideration of the justified interest of the banking industry that security in online banking has to be safeguarded. However, the rules currently used cannot be considered as a necessary part of a consistent security concept of the banks and they impede non-bank competitors.

The Bundeskartellamt has only declared certain specified clauses of the banks’ terms and conditions illegal, not the entire agreement. It also suspended the enforcement of its decision, meaning the parties are not under tight deadlines to change their course of action, although they must make the necessary changes. The Bundeskartellamt also noted that rules governing the activity of non-bank payment solution providers are currently undergoing a European legislative process.

 

© McCarthy Tétrault LLP

is Counsel in McCarthy Tétrault’s National Technology Group.

The post German Regulator Finds Banks’ Data Rules “impede non-bank competitors” appeared first on IPOsgoode.

]]>
Life After BitCoin: The Future of Banking May Be in the Blockchain /osgoode/iposgoode/2016/04/11/life-after-bitcoin-the-future-of-banking-may-be-in-the-blockchain/ Mon, 11 Apr 2016 13:36:14 +0000 http://www.iposgoode.ca/?p=29064 Introduction In the past 6 months, the US Patents & Trademark Office (USPTO) has published more than 200 patent applications filed by Bank of America, Goldman Sachs, JPMorgan Chase and other top-tier financial institutions for their own proprietary blockchain systems.  Previously the territory of online anarchists and drug dealers, why are banks suddenly so interested […]

The post Life After BitCoin: The Future of Banking May Be in the Blockchain appeared first on IPOsgoode.

]]>
Introduction

In the past 6 months, the US Patents & Trademark Office (USPTO) more than 200 patent applications filed by Bank of America, Goldman Sachs, JPMorgan Chase and other top-tier financial institutions for their own proprietary blockchain systems.  Previously the territory of online anarchists and drug dealers, why are banks suddenly so interested in protecting this technology? It’s quite simple: it could save them a lot of money transferring money. A co-authored by UK-based Santander, the , estimated that blockchain technology could reduce banks' infrastructure costs by up to $20 billion dollars per year.  While the blockchain is so much more than a bank’s cost-cutting measure, I endeavored to investigate for this purpose.

What is the Blockchain?

Many technology experts are vaguely aware that the blockchain is the technology underpinning Bitcoin, an open-source (and thus unpatentable) digital currency system which is both complicated and controversial. However, the blockchain itself, the mechanics of which can be personalized (and perhaps patented) is remarkably uncontroversial. A blockchain is essentially a record, or a ledger, of digital events. The information “bundle” which makes up an independent data transfer event is broken down and shared across geographically diverse and computationally isolated nodes (which are user’s computers) which independently confirm the event’s details. The ledger can only be updated by data consensus within the information ledger, making fraudulent transactions functionally impossible. Furthermore, once the information is , there is a certain and verifiable record of the transaction which lasts forever. In essence, the blockchain allows complete strangers to exchange digital property (currency included) in a completely transparent way without a central “clearing house” or intermediate organization required to process information or relay the outcome of the transaction.

Use & Potential

The intermediaries: credit card companies, payment processors, and international clearing houses have .  Blockchain can do each of these data transfer events for fractions of a penny, regardless of location, without intermediary. Beyond cost savings, the blockchain presents significant risk reduction opportunities. The problem with the intermediaries we historically rely on, is that they can be hacked (think Target’s credit card data loss scandal), lie (think of securities fraud) or be plainly incorrect. Case in point, Estonia, which secures much of its banking infrastructure with a blockchain, now boasts the .

The Future of the Blockchain

Although over 40 of the largest chartered banks, including the above mentioned institutions, have agreed to a with the startup R3 CEV, finding an agreeable standard will be difficult and many early adopters may not want to share what they have worked for. Whatever your opinion of Bitcoin, the blockchain is here to stay and until a common source standard can be found, the mechanics of in-house blockchains will be a hot topic for IP lawyers.

 

Graham Haynes is a JD Candidate at Osgoode Hall Law School and is currently enrolled in the course “Legal Values: Commercializing IP” (Winter 2016). As part of the course requirements, students are asked to write a blog on a topic of their choice.

 

The post Life After BitCoin: The Future of Banking May Be in the Blockchain appeared first on IPOsgoode.

]]>
Canadian Banking Industry Releases Payments Security White Paper /osgoode/iposgoode/2015/08/18/canadian-banking-industry-releases-payments-security-white-paper/ Wed, 19 Aug 2015 02:25:33 +0000 http://www.iposgoode.ca/?p=27782 The re-posting of this article is part of a cross-posting agreement with CyberLex. The Canadian banking industry recently released the Payments Security White Paper, prepared by the six largest Canadian banks (BMO, CIBC, National Bank, RBC, Scotiabank, TD). The white paper outlines the evolution of mobile payments in Canada, reviews risks associated with various types […]

The post Canadian Banking Industry Releases Payments Security White Paper appeared first on IPOsgoode.

]]>
The re-posting of this is part of a cross-posting agreement with .

The Canadian banking industry recently released the , prepared by the six largest Canadian banks (BMO, CIBC, National Bank, RBC, Scotiabank, TD). The white paper outlines the evolution of mobile payments in Canada, reviews risks associated with various types of mobile payments, and explores potential considerations for the future.

The paper was guided by three overarching principles: the need for security, the need for openness (the mobile payment environment should be open to any mobile wallet on any mobile device) and the desire to support innovation in mobile payments.

 

Mobile Payment Evolution in Canada

The paper discusses the evolution of mobile payments in Canada, and notes that it is currently still estimated that “fewer than 25% of Canadian consumers have all the required elements to participate in mobile payments”. Challenges to mobile payment adoption include the limited penetration of contactless or NFC (near field communication) point of sale devices, and the lack of interoperability between issuers, mobile devices and mobile network operators.

In considering the evolution of mobile payments, the paper describes as “a fundamental paradigm shift for security” the evolution from traditional SIM-based payments (where the secure element is stored on the mobile device) to Host Card Emulation (HCE) solutions (where the secure element is stored in the cloud). According to the paper, risks associated with SIM-based payments can be rated as either low risk (in the case of technology risk), low to medium risk (reputational risk) or medium risk (operational risk). In contrast, risks associated with HCE mobile payment solutions are rated either as either medium to high (technology risk) or medium (operational risk, reputational risk). Therefore, as HCE-based mobile payment solutions become more prevalent, security risks will likely increase and will need to be managed accordingly.

 

Open Mobile Wallets: Potential Additional Risks

Open mobile wallets, which would include Apple Pay, Google Wallet, Samsung Pay and, in Canada, UGO Wallet, are mobile wallets that are open to multiple participant issuers (in contrast to proprietary single issuer solutions, such as the Starbucks payment app, or traditional bank apps).

Open mobile wallets involve interactions between many unrelated third parties and could be subject to additional risks as a result, such as the possibility of a higher potential of fraud (due to risks relating to customer identification and verification), risks arising as a result of reliance on third parties (including any token service provider where tokenization is being used) and data privacy and data ownership issues (given the additional data being generated and potentially shared, such as transactional data, location data, etc.). This is particularly the case given the lack of existing standards and certification processes in the industry.

By way of example, Apple Pay earlier this year suffered incidents of fraud, not because of a breach to its security but because the Apple Pay customer verification process allowed fraudsters to register and use stolen cards through Apple Pay. Customer verification will be an ongoing challenge as issuers develop ways to better integrate third party providers into their existing verification processes. With respect to the emergence of new customer identification and validation techniques, such as biometrics, the white paper argues that, at least until the reliability of new techniques is proven, something the “customer knows”, such as a traditional PIN or password, is preferable to something the “customer is”, such as a biometric read.

 

Proposed Path Forward

The paper indicates that, in order to achieve the guiding principles described above (security, openness, innovation):

  • Mobile payments should provide at least the same level of security as traditional chip-and-PIN payments.
  • Robust customer identification and verification processes (both at the time of enrollment and at the time of a transaction) are required to protect against payment fraud.
  • There needs to be a compelling value proposition to customers. The experience of using mobile payments needs to be as good as, or better, than using traditional plastic cards, for customers to migrate to mobile payments.

 

Conclusion

The mobile payment landscape has evolved significantly in the past few years in Canada, with banks and non-financial institutions launching both proprietary and open mobile wallets and payment applications, and is expected to continue to evolve quickly, with the anticipated arrival of new payment solutions in Canada (including Apple Pay), continuing developments relating to cloud-based payment solutions, advances in tokenization, and the development of novel customer verification and identification methods (biometrically-based or otherwise). As outlined in the white paper, there remain many risks and challenges in this area which will continue to need to be carefully addressed going forward in connection with such developments.

 

© McCarthy Tétrault LLP

is a partner in McCarthy Tétrault’s Financial Services Group in Toronto.  is an associate in McCarthy Tétrault’s Business Law Group in Toronto.

The post Canadian Banking Industry Releases Payments Security White Paper appeared first on IPOsgoode.

]]>
U.S. Federal Financial Institutions Examination Council (FFIEC) Releases Cybersecurity Assessment Tool /osgoode/iposgoode/2015/07/23/u-s-federal-financial-institutions-examination-council-ffiec-releases-cybersecurity-assessment-tool/ Thu, 23 Jul 2015 17:18:55 +0000 http://www.iposgoode.ca/?p=27685 The re-posting of this article is part of a cross-posting agreement with CyberLex. On June 30, 2015, the FFIEC released its cybersecurity assessment tool designed to assist U.S. financial institutions and regulatory examiners identify inherent cybersecurity risks and determine preparedness level of financial institutions.  The cybersecurity assessment tool and other resources can be found here. […]

The post U.S. Federal Financial Institutions Examination Council (FFIEC) Releases Cybersecurity Assessment Tool appeared first on IPOsgoode.

]]>
The re-posting of this is part of a cross-posting agreement with CyberLex.

On June 30, 2015, the FFIEC released its cybersecurity assessment tool designed to assist U.S. financial institutions and regulatory examiners identify inherent cybersecurity risks and determine preparedness level of financial institutions.  The cybersecurity assessment tool and other resources can be found .

Background

The FFIEC, which is composed of the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the Consumer Financial Protection Bureau, the National Credit Union Administration and the State Liaison Committee, formed the Cybersecurity and Critical Infrastructure Working Group in 2013 to assess cyber risk and increase awareness among U.S. financial institutions. In 2014, the FFIEC ran a pilot examination program where it assessed the preparedness of over 500 financial institutions. The assessment tool is partly the result of that study.

 

General Observations

The FFIEC notes cyberattacks have become more common. New platforms, such as cloud and social media, and new technologies, such as mobile devices and applications, are creating new cyberattack opportunities. Attacks are evolving as more information becomes readily available online, allowing attackers to tailor attacks based on the online behavior of their targets.

The release of the Cybersecurity Assessment Tool demonstrates that regulators are becoming increasingly concerned not only about the level of readiness of financial institutions, but also about the capability of financial institutions’ senior management and boards to respond to cyberattacks. As concern over cybersecurity grows, additional pressure is being placed on senior management and the board to ensure the institution is implementing appropriate risk management and governance practices to ensure the right information is communicated to the right people at all times.

The assessment tool is structured as a two-part process. The first part consists of an assessment of the institution’s inherent risk profile according to its type, volume and complexity of technology and connection types; delivery channels; online mobile products and services; organizational characteristics and external threats, without consideration for any mitigating controls already in place.

The second part consists of an assessment of the institution’s cybersecurity maturity in five different risk areas or domains: management and oversight; threat intelligence and collaboration; cybersecurity controls; external dependency management; cyber incident management and resilience. Each domain includes assessment factors, components and declarative statements that enable institutions to identify practices, process and controls in place across five maturity levels: baseline, evolving, intermediate, advanced and innovative.

The assessment is not designed to identify an institution’s overall cybersecurity maturity level. Rather, the tool can be used to understand whether the institution’s risk management practices and controls are aligned with its inherent risk profile, or whether more needs to be done to achieve the desired level of preparedness. As the institution’s inherent risk profile rises so should its maturity level. The preparedness level should be evaluated periodically, in particular when the institution plans to introduce new products or services or modify its business operations. As the FFIEC states “The assessment [tool] provides a repeatable and measurable process for institutions to measure their cybersecurity preparedness over time.”

In Canada, the Office of the Superintendent of Financial Institutions (“OSFI”) has previously issued in 2013 a very detailed . Similarly to the FFIEC assessment tool, the OSFI guidance provides categories for self-assessment in respect of cyber security practices, each of which is divided into different criteria, that cover multiple operational areas of an institutions beyond information technology. Unlike the FFIEC’s assessment tool, the OSFI guidelines are structured as a single-part assessment of six different risk areas, allow institutions to consider mitigating processes and practices already in place, and do not advocate for information sharing among financial institutions. Both tools provide institutions with repeatable steps that can be used to regularly evaluate their existing processes and resources and to determine whether there are any gaps should be addressed to reach the desired level of preparedness in the event of a cyberattack.

 

© McCarthy Tétrault LLP

is a partner in McCarthy Tétrault's Financial Services Group in Toronto.  is an associate in McCarthy Tétrault's Business Law Group in Toronto.

The post U.S. Federal Financial Institutions Examination Council (FFIEC) Releases Cybersecurity Assessment Tool appeared first on IPOsgoode.

]]>