Comments on proposed Retail Payments Activities Act regime raise concerns for small payment service providers
While the Retail Payment Activities Act, 2021 (“RPAA”) became law in 2022, it is currently awaiting the implementation of additional regulations and guidance from the Bank of Canada before it comes into effect. In particular, comments on the Retail Payment Activities Regulations (“RPAR”) received by the Bank of Canada raise concerns on the effect the RPAR will have on small payment service providers (“PSP”s) operating within Canada.
The Bank of Canada is in the process of reviewing these comments in order to determine whether any changes to the draft RPAR are required. A final version of the regulations will then be published in Part II of the Canada Gazette, which is anticipated in the coming months. Once published, guidance on specific topics related to the RPAA and the final regulations will be issued.
Proposed regulatory framework’s effect on small payment service providers
The comments published in the Canada Gazette Part I indicate an overwhelming concern for the sustainability of small PSPs due to the stringent regulatory framework proposed in the RPAR. Since the Department of Finance has estimated approximately 2,500 businesses will be impacted by this proposal — with approximately 95 percent of them categorized as small businesses — the concerns raised by small PSPs are not unwarranted.
Many small businesses indicated in their comments that they will have a difficult time meeting the high compliance cost imposed under the RPAR due to its burdensome and onerous requirements. Lack of accommodations for smaller businesses could result in their exit from this market.
Specifically, the proposed fee framework does not account for the varying complexities of PSPs. Despite the Bank of Canada noting that fees should strike a balance between level of supervisory effort and undue financial burden, the fee structure proposed is based on value and volume of transactions, and the amount of end user funds held. There does not appear to be consideration for the varying degrees of supervisory effort or the complexity and sophistication of the various risk management frameworks impacted by the RPAR. This results in a lack of balance between the efforts of a PSP and the financial burden that compliance with the RPAR will necessitate.
A lack of smaller PSPs within the market leads to grave concerns regarding the Canadian Economy and increased costs for end-users. Since the requirements of the RPAR are widely mismatched from other leading jurisdictions, smaller PSPs will have difficulty entering the market. The comments received suggest that this will lead to a lack of innovation and competitiveness, where small PSPs will disproportionally bear additional costs in order to operate in Canada. Moreover, it is anticipated that these costs will simply be passed on to end-users.
It is clear from the comments received that an approach based on proportionality and flexibility is essential in reducing the cost burden of compliance with the regulations. Small PSPs are highly important in fostering innovation and contributing to a competitive market, which in turn reduces costs on end-users. Thus, adjustments or accommodations must be made in order to ensure smaller PSPs remain viable.
Who will be affected?
PSPs are defined as any individual or entity that performs a payment function as a service or business activity that is not incidental to another service or activity. For example, a Payment Function may consist of one of the following activities:
- providing or maintaining a payment account;
- holding funds;
- initiating an Electronic Funds Transfer;
- authorizing, transmitting, receiving or facilitating instructions about an Electronic Funds Transfer; and
- clearing or settling.
The Act expressly exempts certain entities as PSPs including: (1) banks and authorized foreign banks, (2) credit unions, insurance companies, and trust or loan companies, (3) provinces or their agents and mandatories, (4) the Canadian Payments Association, (5) companies subject to the Insurance Companies Act or Trust Loan Companies Act, (6) electronic funds transfers where the payment function is performed using a designated system under the Payment Clearing and Settlement Act (Canada), (7) and agents or mandataries performing retail payment activities in the scope of their activity as agent or mandatary, subject to certain conditions.
Expected changes affecting PSPs
The RPAR will have a significant impact on PSPs by introducing the following requirements regarding: (1) PSP registration with the Bank of Canada, (2) reporting requirements, (3) standards for operational risk management, (4) requirements to safeguard end-user funds, (5) national security requirements, and (6) penalties for violating requirements.
A PSP must register under the Act if they are a payment service provider or perform a retail payment activity, and have a place of business in Canada or a place of business outside of Canada but perform retail payment activities for end users in Canada.
In order to register, a PSP must provide the Bank of Canada with prescribed information including its name, contact information, business structure, third parties and operations, ubiquity and interconnectedness, its practices on safeguarding end-user funds, and a description of its risk management framework. There will be a one-time registration fee of $2,500, which will be adjusted with inflation.
PSPs must file (1) annual reports; (2) significant change reports; (3) incident reports; (4) information requests; and (5) notices of change in information.
In filing an annual report, PSPs must include:
- annual objectives;
- changes to their risk management framework;
- human and financial resources to implement and maintain the risk management framework;
- a description of operational risks;
- information on their account providers, and
- a description of their Fund Safeguarding Framework, including the means used to safeguard funds, independent reviews of their fund safeguarding practices conducted in the past year, and information on ubiquity and interconnectedness.
Significant change report
PSPs must give the Bank of Canada five days notice before implementing a significant change. Significant changes include those that could reasonably be expected to have a material impact on operational risks or safeguarding end-user funds. The notice must include:
- the reason for the change;
- a PSP’s assessment of the effect of the change on operational risks and safeguarding funds; and
- any new or amended policies connected with the change.
An incident report will be required where any incident has a material impact on an end-user, other PSP, or designated financial market infrastructures. The notice must include:
- a description of the incident;
- the impact on the affected individuals or entities; and
- corrective measures that can be taken by impacted individuals or entities, and actions taken in response to the incident.
Generally, PSPs have 15 days to respond to Bank of Canada requests for information pertaining to their compliance. The response time is shortened to 24 hours where the request relates to events which are ongoing and have a significant adverse impact on end users or other PSPs.
Notices of change in information
To ensure the Bank of Canada’s registry stays up to date, PSPs are required to notify the Bank of Canada of changes to certain registration-related information.
Framework I: Standards for operational risk management
PSPs will be required to implement and maintain a risk management and incident response framework which will require:
- identifying operational risks;
- protecting retail payment activities from operational risks;
- managing risks from third-parties;
- detecting incidents and control breakdowns;
- reviewing, testing, and auditing the risk management framework;
- establishing roles and responsibilities for the management of operational risks and incidents; and
- securing human and financial resources for its risk management framework.
The risk management framework must be reviewed for compliance once a year. Review is also required before implementing significant changes to operations, control, and where an incident with a material impact occurs. Additionally, the framework must be tested once every three years for effectiveness. An effectiveness review is also necessary where the PSP implements significant changes to its systems, policies or procedures.
The framework must be audited at least every three years.
Framework II: Requirements to safeguard end-user funds
The RPAR requires PSPs to hold funds in a segregated trust account or with a guarantee or insurance covering such funds.
It is important to note that the insurance or guarantee requirement will not be satisfied if funds are simply held in a third-party bank account with deposit insurance.
The RPAR requires PSPs to have a written safeguarding-of-funds framework to ensure that end users have reliable access to their funds without delay and that upon insolvency, such funds are paid to end users without delay. The safeguarding-of-funds framework should describe the PSP’s system policies, processes, procedures, controls, and other means of protecting such funds, which will be reviewed on an annual basis and subject to biennial independent reviews.
In the event of an acquisition, change of control, or “other changes”, the Minister of Finance will commence a national security review 60 days after submitting an initial registration.
“Other changes” may include:
- a state-owned enterprise acquiring voting rights, and/ or ownership interests;
- a Director or Executive having appointed rights in a PSP; and
- the PSP or its third-party service providers storing process information in a country outside Canada that was not identified in the PSP’s most recent application for registration.
Reviews can last 180 days or longer and result in conditional or unconditional approvals or rejections. The RPAR national security provision applies to Canadians as well as non-Canadians. However, in practice, the reviews focus on Chinese, Russian, State-Owned Enterprise investors, and investors with known links to organized crime.
Penalties for violating requirements
The RPAR confers certain administration and enforcement powers on the Bank of Canada for non-compliance. These include:
- entering into compliance agreements;
- issuing notices of violations;
- imposing administrative monetary penalties;
- issuing compliance orders;
- applying for court orders; and
- refusing or revoking registration.
When a PSP is issued a notice of default, the PSP must pay an additional penalty. The proposed penalty for serious violations is up to $1,000,000 per violation while very serious violations can attract penalties of up to $10,000,000 per violation.
Certain violations relating to the provision of information are subject to their own administrative penalty. Where the violation has continued for no more than 30 days, the penalty will be $500 per day. For violations that continue for over 30 days, the penalties range from $15,000 to $1,000,000.
Please contact any member of our Financial Services Team to learn more about the RPAA regulations.