Canada publishes proposed ‎Retail Payment Activities Regulations

On June 29, 2021, the federal government assented to An Act Respecting Retail Payment Activities (“RPAA”). The RPAA is the first regulatory regime for retail payment providers in Canada.

As previously announced, on February 11, 2023, the Department of Finance published the proposed Retail Payment Activities Regulations (“RPAR”). When they come into force, the RPAR will introduce a new retail payment supervisory regime for the retail payment activities of payment service providers (“PSPs”). The RPAR is intended to support the RPAA by establishing requirements to safeguard end-user funds where a PSP becomes insolvent and establishing standards for operational risk management.

This article summarizes the proposed Regulations, which include (1) requirements regarding PSP registration with the Bank of Canada, (2) reporting requirements, (3) standards for operational risk management, (4) requirements to safeguard end-user funds, (5) national security requirements, and (6) penalties for violating requirements.

The proposed RPAR are highly prescriptive, meaning they have very detailed requirements that must be included in the mandated framework policies. However, the RPAR expressly provides for some flexibility by adopting language that accords with the following objectives from the 2017 federal consultation paper, “A New Retail Payments Oversight Framework”: necessity, proportionality, consistency and effectiveness.

Although the RPAA has passed, it will only come into force once the Department of Finance receives comments on the RPAR and decides how such comments will be reflected, if at all. Interested parties can submit comments until March 28, 2023 here by clicking the “Add a comment” button under each section. All comments will be posted publicly online after March 28. Within each submission there is a section provided specifically for confidential information. 

Background

As a brief refresher, the RPAA and RPAR apply to PSPs. Under the RPAA, PSPs are defined as any individual or entity that performs a payment function as a service or business activity that is not incidental to another service or activity. A Payment Function performs one of the following:

• providing or maintaining a payment account:
• individuals or entities satisfy this definition if they store personal or financial information about end users to make it easier to carry out future transactions.
• holding funds:
• the Bank has yet to interpret the definition of “holding funds” but is scheduled to soon release a definition.
• initiating an electronic funds transfer:
• when a payer or payee sends the first instruction to start a transaction, either as a push or pull payment.
• authorizing, transmitting, receiving or facilitating instructions about an electronic funds transfer:
• transmits, receives or facilitates an instruction about an electronic funds transfer if it:
• sends payment instructions;
• receives payment instructions, or
• provides the infrastructure that enables payment instructions to be sent or received.
• clearing or settling:
• clearing: involves transmitting, reconciling and, in some cases, confirming transactions before they are settled, or
• settlement: releases the payment obligations between two or more PSPs according to the terms of the transaction.

As you will have noted from the foregoing, the definition of Payment Function is very broad. Therefore, the RPAA expressly exempts certain entities from the definition as follows:

• banks and authorized foreign banks;
• credit unions, insurance companies, and trust and loan companies;
• provinces or their agents and mandataires;
• the Canadian Payments Association;
• a company to which the Insurance Companies Act or Trust Loan Companies Act applies;
• payment functions performed in relation to an electronic funds transfer if the payment function is performed using a designated system under the Payment Clearing and Settlement Act (Canada), and
• agents and mandataries performing retail payment activities in the scope of their activity as agent or mandatary, subject to certain conditions.

PSP registration

A PSP must register under the Act if they satisfy at least one of three criterion: (1) they are a payment service provider, (2) they perform a retail payment activity, or (3) they have a place of business in Canada or have a place of business outside of Canada but perform retail payment activities for end users in Canada (a “PSP Registrant”). A PSP Registrant must provide the Bank of Canada with its name, contact information, business structure, third parties and operations, ubiquity and interconnectedness, its practices on safeguarding end-user funds, and a description of its risk management framework. The Bank of Canada will maintain and publish some of this information on a public PSP registry.

The RPAR specifies registration requirements and prescribes that a PSP Registrant must pay a one-time registration fee of $2,500 (to be adjusted for inflation over time).

Reporting requirements

Under the RPAA, to support its supervisory function, PSPs must file (1) annual reports; (2) significant change reports; (3) incident reports; (4) information requests; and (5) notices of change in information. The following part of this article discusses the elements of each of these reporting requirements.

Annual reports

For annual reports, PSPs must include objectives, changes to their risk management framework, human and financial resources to implement and maintain the risk management framework, a description of operational risks, information on their account providers, a description of their Fund Safeguarding Framework, the means used to safeguard funds, independent reviews of their fund safeguarding practices conducted in the past year, and information on ubiquity and interconnectedness. For greater certainty, the information on ubiquity and interconnectedness must be demonstrated by reporting the following:

• the number of PSPs services provided;
• the number of end users;
• the maximum value of end-user funds held at any time in Canada;
• the daily average value of all end-user funds of all currencies held each month;
• the volume and value of electronic fund transfers connected to retail payment activity, and
• financial metrics for the reporting year (revenues, gross profits or losses, operating profits or losses, assets liabilities and equity).

Significant change report

For significant change reports, a PSP must give the Bank of Canada five days notice before implementing a significant change. Significant changes are changes that could reasonably be expected to have a material impact on operational risks or the manner in which end-user funds are safeguarded. The notice must include the reason for the change, the PSP’s assessment of the effect of the change on operational risks and safeguarding funds, and any new or amended policies connected with the change.

Incident report

Under the RPAR, PSPs must also give notice of incident reports. Incident reports are required where any incident has a material impact on an end-user, other PSP, or designated financial market infrastructures. The notice must now generally include a description of the incident, its impact on the affected individuals or entities, corrective measures that can be taken by impacted individuals or entities, and actions taken in response to the incident.

Information requests

Under the RPAR, PSPs have 15 days to respond to Bank of Canada requests for information pertaining to their compliance with the RPAA regime. If the information being requested relates to events which are ongoing and could have a significant adverse impact on end users or other PSPs, the proposed response period is 24 hours.

Notices of change in information

The RPAR sets out when changes to information must be submitted to the Bank of Canada to maintain an entity’s registration.

Framework I: Standards for operational risk management

Under the RPAA, PSPs must establish, implement and maintain a risk management and incident response framework to identify and mitigate operational risks. Specifically, PSPs must maintain their risk management frameworks with a view to preserving three objectives: integrity, confidentiality and the availability of its retail payment activities and systems and associated data or information.

To achieve these three objectives, the RPAR will require a PSP to (1) identify its operational risks, (2) protect retail payment activities from operational risks, (3) manage its risks from third-parties, (4) detect incidents and control breakdowns, (5) review, test, and sometimes, audit its risk management framework, (6) establish roles and responsibilities for the management of operational risks and incidents and (7) have sufficient human and financial resources for its risk management framework.

Compliance review

The risk management framework must be reviewed for compliance at least once a year; however, a review is also required before implementing significant changes to a PSP’s operations or control or where an incident with a material impact occurs.

Effectiveness review

The risk management framework must also be tested at least once every three years for effectiveness, meaning to identify any gaps and vulnerabilities. An effectiveness review is also necessary where the PSP implements significant changes to its systems, policies or procedures.

Independent review

Finally, the risk management framework requires that an auditor, either internal or external, conduct a review at least every three years.

Compliance, effectiveness, and independent reviews must all be documented based on their scope, methodology, and outcome. Such reports must be given to a senior officer capable of addressing any gaps and vulnerabilities.

Framework II: Requirements to safeguard end-user funds

The RPAA also aims to ensure that end users have reliable and timely access to their funds to protect them against financial loss where a PSP becomes insolvent. To meet this objective, the RPAA requires PSPs to hold funds in a segregated trust account or with a guarantee or insurance covering such funds.

The RPAR would require PSPs to either hold accounts with end-user funds in, or have insurance or a guarantee from, prudentially regulated financial institutions, such as Canadian banks, credit unions and trust or loan companies. The RPAR also permits foreign financial institutions to provide such guarantees if they are subject to a regulatory framework comparable to Canada’s in regards to capital, liquidity, governance, supervision, and risk management. The insurance or guarantee requirement will not be satisfied if funds are simply held in a third-party bank account with deposit insurance because deposit insurance protects against the failure of the bank holding the account rather than the failure of the PSP itself. The RPAR would also require PSPs have a written safeguarding-of-funds framework to ensure that end users have reliable access to their funds without delay and that upon insolvency, such funds are paid to end users without delay. The safeguarding-of-funds framework should describe the PSP’s system policies, processes, procedures, controls, and other means of protecting such funds. The PSP safeguarding measures will need to be reviewed on an annual basis and be subject to biennial independent reviews.

National security

Where there have been acquisitions of control or events or other changes, under the RPAA and 60 days after submitting an initial registration, the Minister of Finance can commence national security reviews. The “other changes” include when a state-owned enterprise acquires voting rights, ownership interests, or director and executive appoint rights in a PSP, and the PSP or its third-party service providers store or process information in a country outside Canada that was not identified in the PSP’s most recent application for registration.

Under the RPAA, reviews can be 180 days or longer and result in conditional or unconditional approvals or rejections. The RPAA national security provision applies to Canadians as well as non-Canadians. Nevertheless, in practice, national security reviews typically focus on Chinese, Russian, State-Owned Enterprise investors, and investors with known links to organized crime.

Penalties for violating requirements

The RPAA confers certain administration and enforcement powers on the Bank of Canada for non-compliance with the RPAA regime. Such powers include (1) entering into compliance agreements, (2) issuing notices of violations, (3) imposing administrative monetary penalties, (4) issuing compliance orders, (5) applying for court orders and (6) refusing or revoking registration.

The RPAR proposes that only designated violations would be subject to a notice of violation and accompanying administrative monetary penalty. Then, after receiving notice, where a PSP enters into and fails to comply with a compliance agreement, the Bank of Canada would issue a notice of default. When a PSP is issued a notice of default, the PSP must pay an additional penalty. The proposed penalty for serious violations is up to $1,000,000 per violation while very serious violations can attract penalties of up to $10,000,000 per violation.

Certain violations relating to the provision of information are subject to their own administrative penalty regime. If the violation has continued for no more than 30 days, the penalty will be $500 per day. For violations that continue for over 30 days, the penalties range from $15,000 to $1,000,000.

What’s next

After the 45 day consultation period, RPAR provisions will come into effect on a tiered basis as follows:

• RPAR provisions about registration, national security, and compliance will come into force when the RPAA’s registration requirements come into force;
• RPAR provisions about record keeping, reporting, supervisory information, operational risk management, and fund safeguarding will apply to PSPs when the Bank registers that PSP and provides them with notice of their registration, and
• RPAR provisions about assessment fees will come into force when the related RPAA provisions come into force.

The RPAR also prescribes detailed compliance requirements. PSPs, especially those who are not familiar with dealing with regulators other than FINTRAC, should seek counsel to ensure they comply.‎ PSPs should also consider whether they may be subject to the Proceeds of Crime Money Laundering and Terrorist Financing Act. For further updates on the RPAA and RPAR, please subscribe to our Banking and Financial Services distribution list.