Bank of Canada Releases New Retail Payment Activities Act: Supervisory Guidance Related to Enforcement
On June 17, 2024, the Bank of Canada (the “Bank”) published new supervisory guidance (“Guidance”) in connection with the Retail Payment Activities Act (the “RPAA”) and its associated regulations (the “RPAR”). Specifically, the Guidance issued by the Bank relates to:
- administrative monetary penalties (“AMPs”);
- enforcement process and tools;
- issuing public notice of decisions;
- review of decisions by the Governor of the Bank of Canada;
- roles and responsibilities of the Executive Director of Payments, Supervision and Oversight and the Managing Director of Supervision; and
- determination by the Bank that a “significant adverse impact” is occurring or has occurred.
For our post on the previous supervisory guidance issued by the Bank on December 12, 2023, please click here.
1. Administrative Monetary Penalties
The Guidance provides further information on what the Bank will consider when issuing and determining the amount of an AMP. The purpose of the issuance of an AMP by the Bank “is to promote compliance with the RPAA and the RPAR”, and generally will be “proportionate to violations”. The Guidance is intended to be “flexible” and “AMP determinations are made on a case-by-case basis” taking into account the facts surrounding the violation. The approach taken is similar to that articulated by FINTRAC in its administrative monetary policy, so payment service providers (“PSPs”) that are already FINTRAC reporting entities (e.g., money services businesses), will likely see similarities regarding the underlying policy rationale.
The Guidance includes the weighting typically given to each of the AMP criteria set out in the RPAR, namely:
- actual harm and potential harm related to the violation – up to 60% of the AMP range; plus
- violation history within the immediately preceding five years – up to 20% of the AMP range; plus
- the degree of intent or negligence with respect to committing the violation – up to 20% of the AMP range.
The AMP ranges in the RPAR are up to $1 million for a serious violation and up to $10 million for a very serious violation.
The following paragraphs describe these criteria and provide further details about how the Bank will determine an AMP amount.
Harm
As noted above, harm is given the most weight by the Bank—both actual and potential harm resulting from a violation. The Guidelines describe actual and potential harm, as follows:
- Actual harm: “the impacts on the safety and integrity of the Canadian retail payments sector, especially end users (e.g., loss of funds, confidentiality or availability of services)”.
- Potential harm: “the vulnerabilities caused by a violation in a PSP’s operation or the Bank’s ability to supervise PSPs.”
The Guidelines articulate that the Bank will assess potential harm and establish a “baseline”, which generally involves a consideration of “the part of the market that the PSP serves” and “the size of the market that could potentially be affected as a proportion of the overall retail payments market supervised by the Bank.” The baseline may be adjusted based on whether there is partial compliance vs. a high degree of non-compliance.
The Bank will also assess actual harm and, similar to the assessment for potential harm, will analyze “the relative proportion of the retail payments market that experienced the harm caused by the violation”, as well as the extent of the losses.
Violation History
In addition, the Bank will consider any history of prior violations of the PSP within the previous five years. The Bank may also consider the quantity, severity, nature and relevance of past violations relative to the current violation; usually a history of previous violations will contribute to a higher AMP. If a PSP has no previous violation history, then no amount will be attributed under this criterion.
Intent or Negligence
Evidence of intent or negligence will also be considered, and if present, will generally result in a higher AMP amount. To determine intent, the Bank does a “subjective assessment” considering the facts and actions of PSP and whether they knew or were reckless or willfully blind to the fact that they were committing a violation. To determine negligence, the Bank performs an “objective assessment” to consider what was reasonable in the circumstances to prevent or stop the violation. If a PSP is not found to have intent or negligence with respect to a violation, then no amount will be attributed under this criterion.
Lastly, “the Bank may consider other factors…such as mitigating and aggravating factors”, as these may impact the amount of an AMP. Some examples given by the Bank include actions taken by the PSP to mitigate the harm caused by a violation, or conversely, aggregating factors such as repeated commission of the same violation, or an “egregious delay in correcting the non-compliance”.
2. Enforcement Process
The Bank may elect to use a “proportionate enforcement tool” where a PSP has violated the RPAA or RPAR, including failing to: (i) register; (ii) submit mandatory reports and notices; (iii) respond to information requests; or (iv) comply with requirements regarding operational risk, incident response or safeguarding end-user funds. The enforcement process generally starts with the Bank receiving a complaint, which can be either from within or from outside the Bank.
The Bank may commence an investigation to determine if it “has reasonable grounds to believe that a…PSP has committed a violation”. The Guidelines elaborate on the five different ways that the Bank may collect information regarding a potential violation:
- Desk Investigation: The Bank may review information available from Bank staff.
- Information Request: The Bank may request information from a PSP—the PSP must respond within 15 days unless the request relates to an incident that could have a “significant adverse impact”, in which case the PSP must respond within 24 hours (see “Significant Adverse Impact”, below).
- Interview: The Bank may conduct interviews with the PSP or other third parties.
- Onsite Investigation: The Bank may visit the office of the PSP or any other place that it may find records related to compliance with the RPAA or RPAR.
- Special Audit: The Bank may appoint an external auditor where specialized skills or experience are needed to assess compliance. The PSP is responsible for all costs related to a special audit.
The Bank will generally start with a desk investigation and may seek additional information through the other processes outlined above. If there are “reasonable grounds” for the Bank to believe that a violation has been committed, the Bank may choose a “proportionate” enforcement tool (see “Enforcement Tools” below).
Enforcement Tools
The Bank has a number of enforcement tools that it may use in response to non-compliance with the RPAA or RPAR, including the following:
- Warning Letter: The Bank sends a letter to the PSP advising of actual or potential violations, the Bank’s expectations on corrective action, and any possible escalation or enforcement action (including the amount of a potential AMP).
- Compliance Agreement: The Bank and the PSP enter into a formal agreement setting out corrective action to be taken by a PSP. Failure by the PSP to implement such corrective action could result in further enforcement action.
- Notice of Violation (“NOV”): A NOV is a formal notice of violation that may be issued to a PSP by the Bank with or without an AMP. Within 30 days of being served with a NOV, the PSP may appeal the NOV to the Governor of the Bank (the “Governor”) (see “Governor’s Review Process”, below). NOVs that include an AMP may also include an offer to reduce the AMP by up to 50% if the PSP enters into a compliance agreement with the Bank with respect to the violation.
- Compliance Order: The Governor issues an order directing a “PSP to cease or refrain from committing the act or pursuing the course of conduct” that could have a “significant adverse impact” on an individual or entity, and to take remedial action. Similar to a NOV, a PSP will have a specified period time to appeal the order to the Governor.
- Court Enforcement: The Governor applies to a superior court for an enforcement order requiring a PSP comply with the RPAA, RPAR or a compliance order. The Bank may also apply for court enforcement to recover AMPs or other debts to the Bank.
- Revocation of Registration Status: Certain violations or activities by a PSP may allow the Bank to revoke a PSPs registration status, including where directed to do so by the Minister of Finance. The Bank has advised that it will publish a policy on refusal and revocation ahead of the registration period, which begins on November 1, 2024.
As with the Bank’s approach to AMPs, the Bank will use enforcement tools that are proportionate to the violation and encourage a change in behaviour by the offending PSP and PSPs generally. The Bank has made clear that its intention with the use of enforcement tools is not to punish the PSP.
3. Issuing Public Notice of Decisions
The Guidelines also highlight that the Bank will give public notice of the following types of decisions:
- Registration Decisions: Approvals, revocations and refusals of RPAA registrations
- Enforcement Decisions: Issuances of NOVs and notices of default (i.e., if a PSP fails to comply with a compliance agreement)
- Governor’s Decisions: Registration, enforcement and appeals of Governor’s decisions
The Guidelines state that the PSP registry, including refusals and revocations, will be available starting September 8, 2025. This is following the conclusion of the Bank’s 10-month transition period which commences on November 1, 2024, and runs until September 7, 2025.
4. Governor’s Review
The Governor’s review process is an appeal procedure that may be requested by a PSP that has a decision issued against it under the RPAA. The process is internally separated within the Bank from its broader supervisory powers under the RPAA. Pursuant to a notice of delegation published in the Canada Gazette on June 15, 2024, the Governor’s review functions were delegated to the Executive Director of Payments, Supervision and Oversight (“Executive Director”). The supervisory activities of the Bank under the RPAA are overseen by the Managing Director of Supervision (“Managing Director”).
It is important to note that “[a]n affected party will not be eligible for a Governor’s review of any violations outlined in an NOV if they have paid the full AMP associated with those violations”, and that the Governor’s review is “not confined to reviewing the [initial] decision for errors” (i.e., the Governor can make new or different findings based on the information provided).
A Governor’s decision can be appealed to the federal court within 30 days after the PSP is notified of the Governor’s decision. If a decision is not issued within 90 days after a PSP requests a review for an NOV or “notice of default”, it may appeal to the Federal Court within 30 days after the 90-day period expires.
5. Roles and Responsibilities of the Executive Director and Managing Director
The Guidelines also contain information regarding the roles of the Executive Director and Managing Director.
The Executive Director is responsible for: (i) supervision of PSPs; (ii) oversight of financial market infrastructures and banking and payments services provided by the Bank; and (iii) Governor’s reviews. The Executive Director does not participate in the supervisory activities performed by the Bank under the RPAA.
The Managing Director reports directly to the Executive Director but remains “independent from the Executive Director when conducting any supervisory activity that could lead to a Governor’s review [and] oversees all registration and enforcement actions initiated by Bank Staff.”
6. Significant Adverse Impact
The last Guideline published by the Bank on June 17, 2024, provides information on what the Bank will consider a “significant adverse impact”. This term is relevant in determining whether the Bank can issue a compliance order and the timeline by which a PSP must respond to an information request from the Bank (see “Enforcement Tools” and “Enforcement Process”, respectively, above).
The Guideline notes the following examples of what the Bank would consider a potential adverse impact: (i) loss of end-user funds; (ii) breach of confidential data; (iii) outage/system failure of retail payments activity; and (iv) compromised integrity of a retail payments activity (e.g., misdirected funds). The Bank will assess the potential impact, duration and irreversibility of the incident when determining significance, along with any other relevant factors.
***
These Guidelines provide helpful context and information about the Bank’s views regarding enforcement, as the RPAA and RPAR implement not only a new regime but also a new supervisory and enforcement role for the Bank. Beginning September 2025, it will be interesting to observe the Bank’s exercise of these powers in order to obtain further practical insights into its approach to supervision and enforcement under the RPAA.
***
For more information about our firm’s Fintech expertise, please see our Fintech group’s page.