The commercial lending industry in Canada, as part of the broader financial services sector, is undergoing significant change due to the advent of new technologies. Innovations such as artificial intelligence (AI), open banking, and digital onboarding are reshaping how loans are originated, managed, and serviced in Canada.

These advancements present businesses with new opportunities for improved efficiency and enhanced customer experiences but also introduce unique legal challenges. This article expands upon our discussion on the topic in 2024 and explores the key drivers of financial technology (FinTech) innovation in Canada’s commercial lending industry and the emerging legal questions.

AI and risk assessment

In the commercial lending space, AI is increasingly being used to optimize decision making processes and risk management. Certain financial institutions are beginning to use AI to assess the creditworthiness of businesses, predict market trends, and automate underwriting processes. Non-bank lenders such as FundThrough have begun to use AI-powered algorithms to offer tailored financing options for small and medium enterprises,[1] while larger banks may use machine learning to efficiently produce accurate credit scoring algorithms. 

However, the integration of AI in commercial lending raises significant legal concerns, especially regarding transparency, accountability, and fairness. Canadian lenders levering AI must consider whether their AI systems adhere to the Personal Information Protection and Electronic Documents Act (PIPEDA) and other provincial data protection laws and regulations to prevent violations of privacy rights in the decision-making process.

Open banking

Open banking allows businesses to securely share their financial data with third-party providers, a practice that is gaining popularity in Canada’s commercial lending sector. Major banks and financial institutions have begun to adopt open banking practices to facilitate an efficient and accessible data exchange for commercial loan assessments.

While open banking benefits businesses by giving them greater control over their financial data and enhancing access to credit, it introduces risks related to data breaches and unauthorized access. Canadian legislation and regulations must adapt to ensure robust consumer and business data protection without inhibiting innovation, as discussed in our 2024 discussion the recently enacted Consumer-Driven Banking Act (S.C.2004, s.198) aims to do so. Financial institutions may start to increasingly engage legal professionals to advise them on whether their open banking systems practices comply with the laws, and whether their agreements with third-party providers mitigate liability.

Digital onboarding

Digital onboarding is revolutionizing the way loans are processed in Canada. Through online platforms, businesses can apply for financing, access loans, and manage their accounts. This has greatly simplified access to capital for businesses in Canada. However, digital onboarding in commercial lending also presents challenges related to compliance with anti-money laundering (AML) and know-your-customer (KYC) regulations.

Canadian financial institutions must ensure they comply with stringent identity verification requirements to prevent fraud and money laundering. Technologies such as biometric verification and facial recognition are more commonly being used by lenders to streamline onboarding processes, but these technologies raise concerns about data protection and privacy. Financial institutions and their legal counsel must consider whether the use of new technologies will breach Canada’s Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) or create risks tied to the use of personal data in digital platforms.

Cybersecurity and data privacy

With commercial lending increasingly moving online, cybersecurity and data privacy are critical concerns. Financial institutions are entrusted with vast amounts of sensitive business data, making them targets for cybercriminals. As a result, lenders face significant exposure in the event of a breach.

Lawyers must advise their lending clients of their legal obligations under PIPEDA, as well as their obligations under legislation such as the applicable Province’s Freedom of Information and Protection of Privacy Actand other comparable provincial legislation across the country. With emerging technologies such as blockchain and cloud computing, legal advisors will likely be relied upon more and more by financial institutions to navigate the complexities of securing digital transactions while ensuring compliance with both provincial and federal data protection regulations. The legal risks associated with non-compliance, including lawsuits, regulatory penalties, and reputational damage, must be addressed proactively.

Regulatory sandboxes

We are seeing innovation being fostered in the commercial lending space through the use of regulatory sandboxes. By way of example, the Ontario Securities Commission and Canadian Securities Administrators have both launched initiatives that allow FinTech firms to test new products and services in a controlled environment. These initiatives provide an opportunity for businesses in the commercial lending sector to experiment with new technologies, such as AI-powered lending platforms or digital lending models, while ensuring they meet regulatory standards.

Regulatory oversight

FinTech innovations also raise legal concerns about liability, consumer protection, and regulatory oversight. Commercial lenders must keep securities and consumer protection legislation (such as the applicable Province’s Securities Act or equivalent and the applicable Province’s Consumer Protection Act or equivalent) in mind when leveraging these tools.

Businesses which engage in foreign exchange dealing, issuing or redeeming money orders or similar instruments, dealing in virtual currency and crowdfunding platform services, are subject to regulation by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) under the PCMLTFA.

Further, under the Retail Payment Activities Act (RPAA), the Bank of Canada (BOC) has been granted authority to supervise Canada’s retail payments sector by: overseeing payment service providers (PSPs), requiring PSPs to register with the BOC, engaging in risk monitoring and reporting, and providing the BOC with enforcement tools to address violations. FinTech businesses that are captured under the definition of a PSP under the RPAA will be required to register with the BOC as of November 1, 2024.

Cross-border legal challenges

FinTech innovation is of course not only taking place in Canada, and so Canadian commercial must navigate the complexities of cross-border transactions, particularly in the context of cryptocurrency and cross-border financing. Lenders engaging in international trade finance, or working with cryptocurrency payment systems, must understand how Canadian laws interact with international regulations. For example, cryptocurrency exchanges like Coinbase and Binance may allow businesses to access funding through digital currencies, but each country has its own regulations governing these exchanges.

Commercial lenders may need legal advice on how to comply with international laws, including the European Union’s General Data Protection Regulation (GDPR) for data protection, or the U.S. Securities and Exchange Commission’s regulations concerning cryptocurrencies. Lawyers may also be engaged to help navigate cross-border lending risks, such as differences in enforcement and regulation of financial agreements across jurisdictions.

Key takeaways

  • Financial technology is transforming commercial lending in Canada (and around the world), offering streamlined processes, improved risk assessment, and faster access to capital.
  • AI is driving innovation, but also raises significant legal issues related to transparency, fairness, and compliance with data privacy laws such as PIPEDA.
  • Open banking is enhancing data-sharing between lenders and businesses, while simultaneously introducing complex legal questions around consent, data security, and third-party liability.
  • Digital onboarding can simplify loan origination, yet it demands strict adherence to AML and KYC rules, especially as biometric technologies become more prevalent.
  • Cybersecurity is now central to legal risk management, with lenders expected to proactively safeguard sensitive business data and comply with both federal and provincial privacy laws.
  • Regulatory sandboxes support responsible innovation, but participating institutions must remain compliant with the securities and consumer protection legislation.
  • Cross-border lending and digital currencies increase legal complexity, requiring careful navigation of foreign regulations like the GDPR.

As FinTech continues to evolve, the legal landscape surrounding commercial lending in Canada is becoming increasingly complex. Lawyers specializing in commercial lending must be proactive in understanding new technologies and their impact on legal compliance. Collaboration between legal professionals, lenders, and regulators will be key to creating a regulatory environment that supports innovation while protecting both businesses and consumers.

Need clarity on how emerging FinTech tools interact with Canada’s legal framework? Miller Thomson’s legal professionals from our Banking and Financial Services Group are here to help you stay compliant, mitigate risk, and support innovation.

[1] FundThrough, “Frequently Asked Questions” (last visited 11 April 2025),