Department of Finance Releases Consultation Paper on New Retail Payments Oversight Framework Providing for Functional Regulation of Payment Service Providers
On July 7, 2017, the Department of Finance issued the consultation paper “A New Retail Payments Oversight Framework” (the “Consultation Paper”) proposing a federal oversight framework for retail payments. Comments on the Consultation Paper are due October 6, 2017.
Summary of Proposed Oversight Framework
The Consultation Paper is discussed in more detail below, but the key elements are:
- Broad Scope: The oversight framework would apply to any payment service providers (“PSP”) that perform any listed core functions and would capture credit card transactions, online payments, pay deposits, debit transactions, pre-authorized payments, and peer-to-peer money transfers.
- Registration Requirement: All PSPs would be required to register with a “designated federal retail payments regulator”.
- End-User Fund Safeguarding Measures: All PSPs that hold end-user funds overnight or longer would be required to meet certain requirements, including placing them in a trust account, and certain record-keeping requirements.
- Operational Standards: All PSPs would be required to comply with a set of principles related to establishing security and operational objectives and policies and business continuity planning.
- Disclosure Requirements: All PSPs would be required to provide end users with certain information, including information on the key characteristics of their service or product, the responsibilities of customers and PSPs, terms and conditions, the end user’s account history of payment transactions, and receipts for transactions.
- Third-Party Dispute Resolution: An external complaint body would be designated for customers to elevate complaints not resolved through PSPs’ internal complaint handling processes, and PSPs would need to advertise their complaint-handling processes.
- Liability for Unauthorized Transactions: The payment-authorizing PSP would have to refund the payor for losses resulting from unauthorized transactions or errors, unless the payor acted fraudulently or failed to fulfil certain obligations.
- Increased Emphasis on Privacy: The regulator for the oversight framework would promote awareness of, and compliance with privacy laws, including by directing PSPs, at the point of registration, to relevant guidance from privacy regulators.
The oversight framework is proposed to be principles-based, with tiering of measures (such that, for example, smaller firms may be subject to less stringent requirements), and a recognition of equivalent requirements under other legislative frameworks.
In addition, the Consultation Paper proposes the establishment of an advisory service for small firms that could guide and assist qualified PSPs in understanding the framework requirements based on their specific business models.
Details of Proposed Oversight Framework
- Scope of Retail Payments Oversight Framework
The Consultation Paper proposes a functional approach to regulation of retail payments in Canada, which would apply to any PSP that performs any of the following five core functions in the context of an electronic fund transfer ordered by an end user:
- Providing and maintaining payment accounts for the purpose of making electronic fund transfers;
- Enabling the initiation of a payment at the request of an end user;
- Authorizing and transmitting payment messages;
- Holding of funds; or
- Fund clearing and settlement.
The Consultation Paper provides examples of PSP functions: credit card transactions, online payments, pay deposits, debit transactions, pre-authorized payments, and peer-to-peer money transfers. Certain types of transactions are specifically excluded:
- Transactions entirely made in cash;
- Transactions conducted via an agent authorized to negotiate or conclude the sale or purchase of goods or services on behalf of the payer or the payee, where the funds held by the agent on behalf of the payer or payee are kept in a trust (e.g., real estate agent or lawyer);
- Transactions made with instruments that allow the holder to acquire goods or services only at the premises of the issuing merchant (e.g., store cards) or within a limited network of merchants that have a commercial agreement with an issuer (e.g., shopping mall cards);
- Transactions related to securities asset servicing (e.g., dividends distribution, redemption or sale) and derivatives;
- Transactions at ATMs for the purpose of cash withdrawals and cash deposits;
- Transactions between entities of the same corporate group, if no intermediary outside of the corporate group is involved in the transaction; and
- The clearing and settlement of transactions made through systems designated under the Payment Clearing and Settlement Act.
Furthermore, the Consultation Paper states that the proposed retail payments oversight framework is to be limited to transactions that are carried out solely in fiat currencies, and not virtual currencies given their current limited use. The Government indicated that it will continue to monitor the use of virtual currencies in retail payments and may propose adjustments to the framework as needed.
Many types of Fintech entities in the payment space, particularly those offering e-wallets, prepaid cards and/or peer to peer payments, as well as more traditional payment entities such as merchant acquirers, would appear to fall within the scope of the proposed framework. In addition, entities that are already otherwise regulated, such as banks, credit unions, trust companies and money services businesses may also be PSPs.
In addition, although the Consultation Paper refers to “retail” payments oversight, the currently proposed scope of the framework contemplates more than what would be considered to be consumer transactions.
- Proposed Requirements
a. Registration – The Consultation Paper proposes a requirement that all PSPs register with the “designated federal retail payments regulator” (see “Regulatory Authority” section below) either when the oversight framework comes into effect or in the case of a new PSP, prior to launch. The Consultation Paper provides a list of information required to register in Appendix B, including the type of services and payment functions provided, the volume and value of transactions processed in Canada and globally in the last year (or expected to be processed in the upcoming year for a new PSP), the average amount of consumer funds held where the PSP is not a deposit-taking financial institution, the trust account where consumer funds are held, and the total assets value of the PSP. In addition, the PSP’s owners and directors would need to undergo a criminal record check. Furthermore, if Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) determines or has determined that a PSP has committed a “very serious” violation of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act or, in the case of a money remitter, the PSP has not registered with FINTRAC, the PSP’s registration would be denied or revoked.
b. End-user fund safeguarding – The Consultation Paper proposes that PSPs that place end-user funds held overnight or longer in a trust account be required to meet the following requirements:
- The account must be at a deposit-taking financial institution that is either a member of the Canada Deposit Insurance Corporation or covered under a provincial deposit insurance regime;
- The account must be in the name of the PSP;
- The account must be clearly identified as the PSP’s trust account on the records of the PSP and the financial institution;
- The account may only be used to hold end-user funds;
- The PSP must ensure that the financial institution does not withdraw funds from the account without the PSP’s authorization (e.g., service fees incurred by the PSP must be paid from the PSP’s general account); and
- The assets held in the account must be cash held on deposit or highly secure financial assets that can be readily converted into cash.
PSPs would also be required to maintain detailed accounting records that would allow for the accurate identification of funds held in trust and the beneficiaries, and to report on their trust accounts in their annual filings to its designated regulator.
c. Operational standards – The Consultation Paper proposes that PSPs be required to comply with a set of principles related to establishing security and operational objectives and policies and business continuity planning:
- A PSP should establish a robust operational risk-management framework with appropriate systems, policies, procedures and controls to identify, monitor and manage operational risks.
- A PSP’s management should clearly define the roles and responsibilities for addressing operational risk and should endorse the PSP’s operational risk-management framework. Systems, operational policies, procedures and controls should be reviewed, audited and tested periodically and after significant changes.
- A PSP should have clearly defined operational reliability objectives and should have policies in place that are designed to achieve those objectives.
- A PSP system should have comprehensive physical and information security policies that address all major potential vulnerabilities and threats.
- A PSP should have a business continuity plan that addresses events posing a significant risk of disrupting operations. The plan should be designed to protect end users’ information and payment data and to enable recovery of accurate data following an incident. The plan should also seek to mitigate the impact on end users following a disruption by having a plan to return to normal operations.
- A PSP should identify, monitor, and manage the risks that end users, participants, other PSPs, and service and utility providers might pose to its operations. In addition, a PSP should identify, monitor, and manage the risks that its operations might pose to others.
Operational system testing may be conducted through self-assessment for small firms or through third-party verification for larger firms.
d. Disclosure requirements – The Consultation Paper proposes that PSPs be required to provide end users with information on the key characteristics of the service or product (such as charges and fees, functions, limitations, security guidelines), customers’ responsibilities, the PSP’s responsibilities, terms and conditions, the end user’s history of payment transactions on an account and receipts for transactions.
Disclosures have to meet the following principles:
- Information must contain adequate and relevant content;
- Information must be provided in a timely manner;
- Information must be presented in language that is clear, simple and not-misleading; and,
- Information must be easily accessible.
PSPs would also be required to provide a separate, concise summary containing key information related to a payment service on the cover page of the terms and conditions regarding the use of the service. Annex A to the Consultation Paper provides further detail on proposed disclosure requirements.
e. Dispute resolution – The Consultation Paper proposes that a designated external complaint body (ECB) be designated for PSPs to receive complaints that fail to be resolved through a PSP’s internal complaint handling process. PSPs would also be required to:
- Advertise their complaint handling procedures and the possibility for customers to refer cases to the designated ECB;
- Provide the ECB with all the information it may need in resolving the dispute; and
- Participate in the dispute resolution process (e.g., participate in conciliation sessions and ECB consultations).
f. Liability for unauthorized transactions – The Consultation Paper proposes that payors not be held liable for losses for unauthorized transactions or errors unless they acted fraudulently or failed to fulfil certain obligations, and that the payment-authorizing PSP would have to refund the payor for losses resulting from unauthorized transactions or errors. Cases where the payor could be held liable include where (i) the payor has not taken reasonable care to protect the security of the payor’s passwords; (ii) the payor has not notified the PSP, without undue delay, that a payment instrument has been lost or stolen, or that a password has been breached; and (iii) the payor has entered the payee information incorrectly such that it was impossible for the PSP to transmit the funds to the right payee. Under these scenarios, the PSP would have to make reasonable efforts to recover the funds.
g. Privacy - The Consultation Paper notes that technological innovation has given PSPs the ability to collect and store many different types of personal and sensitive information and states that “weak protection of personal information by PSPs is a type of market conduct risk that may lead to a series of undesirable consequences for end users, such as financial or reputational harm due to data breaches”.
While the federal privacy legislation (PIPEDA) applies to all Canadian businesses in all sectors of the economy, including retail payments, the Consultation Paper states that “some PSPs may not be familiar with their responsibilities under PIPEDA or applicable provincial privacy legislation”.
The Consultation Paper proposes that the regulator for the oversight framework promote awareness of, and compliance with, PIPEDA and similar provincial legislation, including by directing PSPs, at the point of registration, to relevant, existing information published by the Office of the Privacy Commissioner or other provincial regulators regarding compliance with privacy-related obligations.
- Guiding Principles
The Consultation Paper states that “the proposed oversight framework would encourage innovation and competition” and aim to apply measures commensurate to the level of risk posed by each PSP.
To achieve these goals, the oversight framework is proposed to be built around the following guiding principles:
- Principles-based requirements – Requirements are generally intended to be principles-based, both to accommodate the diversity of business models in the retail payments sector and to allow for flexibility in the case of future models.
- Tiering of measures – The Consultation Paper states that consideration is to be given to tiering of specific measures such that, for example, smaller firms may be subject to less stringent requirements.
- Recognition of equivalent requirements under other legislative frameworks – The Consultation Paper proposes that PSPs be exempt from having to implement a framework measure if the entity is subject to a substantially similar requirement under another federal or provincial statute (such as, for example, the Bank Act or credit union legislation).
- Advisory Service for Small Firms
The Consultation Paper proposes the establishment of an advisory service (similar to some of the regulatory sandbox models in other jurisdictions) for small PSP firms planning to commercialize a new product, process or service. Such advisory service could guide qualified PSPs through the registration process and assist by interpreting the various framework requirements based on their specific business model.
- Regulatory Authority
As noted above, the Consultation Paper refers to a “designated federal retail payments regulator”. Rather than explicitly address the creation of a new regulator, the Consultation Paper states that the framework will leverage the mandate and expertise of existing regulators, in order to ensure consistency in the implementation of similar measures across federal oversight frameworks. The Consultation Paper does not explicitly address which regulator will supervise those PSPs that are not currently subject to federal oversight.
Finally, the Consultation Paper provides that the regulator would have access to a combination of compliance tools that would allow for effective intervention with any type of PSP, set out in more detail in Annex C to the Consultation Paper, and including the issuance of guidelines, annual filing requirements, on-site examinations, and the ability to issue administrative penalties and compliance orders.