Federal Government Releases Draft Retail Payment Activities Act
The long-awaited draft of An Act Respecting Retail Payment Activities (short title, Retail Payment Activities Act) (the “RPAA”) has been released as part of budget Bill C-30, the first reading of which was on April 30, 2021. The RPAA seeks to implement the previously announced federal retail payments oversight framework, first outlined in a 2017 consultation paper (the “2017 Consultation Paper”).
The RPAA comes in the context of a number of related regulatory and industry initiatives affecting the payments industry in Canada, including ongoing consultations on consumer-directed finance/open banking, the payments modernization initiative and parallel amendments to other payments legislation, including the Payment Clearing and Settlement Act.
While the RPAA proposes a generally similar regime as that outlined in the 2017 Consultation Paper, the framework proposed in 2017 contained certain concepts that have not been included in the RPAA, such as: a requirement that an external complaint body be designated for entities falling within the scope of the framework to receive complaints; certain disclosure requirements to end users; and provisions addressing liability for unauthorized transactions.
The RPAA’s preamble notes the aim of the RPAA includes to “foster competition and innovation in payment services by building confidence in the retail payment sector”.
Scope of Application
The RPAA will apply to any “retail payment activity” that is either (a) performed by a service provider that has a place of business in Canada, or (b) performed for an “end user” in Canada by a “payment service provider” (“PSP”) that does not have a place of business in Canada but directs retail payment activities at individuals or entities that are in Canada.
End Users and Payment Service Providers
An “end user” is defined as an individual or entity that uses a payment service as a payer or payee. A PSP is defined as an individual or entity who performs “payment functions” as a service or business activity that is not incidental to another service or business activity.
Retail Payment Activity
A “retail payment activity” is defined as a “payment function” that is performed in relation to an electronic funds transfer that is made in the currency of Canada or another country or using a unit that meets prescribed criteria.
A “payment function” means:
- the provision or maintenance of an account that, in relation to an “electronic funds transfer”, is held on behalf of one or more end users;
- the holding of funds on behalf of an end user until they are withdrawn by the end user or transferred to another individual or entity;
- the initiation of an “electronic funds transfer” at the request of an end user;
- the authorization of an “electronic funds transfer” or the transmission, reception or facilitation of an instruction in relation to an “electronic funds transfer”; or
- the provision of clearing or settlement services.
An “electronic funds transfer” is defined as a placement, transfer or withdrawal of funds by electronic means that is initiated by or on behalf of an individual or entity.
The RPAA will not apply in respect of the following retail payment activities:
- a payment function related to merchant-issued (or other non-payment-service-provider-issued) instrument that allows the holder to purchase goods or service from the issuing merchant (or any merchant in the group) (eg. closed loop gift cards);
- a payment function that is performed for the purpose of giving effect to an “eligible financial contract” as defined under the Canada Deposit Insurance Corporation Act;
- a payment function made for the purposes of a cash withdrawal at an automatic teller machine;
- payment functions performed by systems designated under the Payment Clearing and Settlement Act;
- payment functions performed entirely between the PSP and an affiliated entity;
- payment functions performed by a bank, an authorized foreign bank, a credit union, a provincial government or an agent thereof if they accept deposits transferable by order, an insurance company, a trust company, a loan company, Payments Canada, the BoC or prescribed individuals or entities;
- payments functions performed by agents of registered PSPs; or
- any other payment function prescribed pursuant to the regulations.
Bank of Canada as Supervisory Authority
The RPAA directs the Bank of Canada (the “BoC”) to:
- supervise PSPs that perform retail payment activities in order to determine whether those PSPs are complying with the RPAA;
- promote the adoption by those PSPs of policies and procedures that are designed to implement their obligations under this RPAA; and
- monitor and evaluate trends and issues related to retail payment activities.
In pursuing those objects, the BoC will be required to consider the efficiency of payment services and the interests of end users. The BoC will also be authorized to issues guidelines regarding the application of the RPAA.
A PSP will be required to be registered with the BoC before it performs any retail payment activities. The BoC will maintain a public registry of registered PSPs disclosing the name, address, activities performed, and certain other information to be prescribed. The BoC will also publish a list of individuals or entities who have been refused registration, or whose registration has been revoked, and the reasons for refusal or revocation.
There will be a fee to register. In addition, on an annual basis, all registered PSPs will be required to pay an assessment fee for the expenses incurred by the BoC in the administration of the RPAA.
An applicant may be refused registration for: (a) reasons related to national security; (b) failing to provide additional information requested; (c) failing to comply with an order or undertaking required by the Minister of Finance (the “Minister”); (d) failing to comply with a condition imposed by the Minister; (e) disclosing false or misleading information; (f) not registering as a money service business under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (the “PCMLTFA”); (g) committing a “serious violation” under the PCMLTFA; or (g) being deemed to have committed a violation under the RPAA. An applicant may request a review by the Governor of the BoC (the “BoC Governor”) of the refusal to register. As well, an applicant can appeal a decision by the BoC Governor to the Federal Court.
End-User Fund Safeguarding
If a PSP performs a retail payment activity that includes holding end-user funds, the PSP will be required to:
- hold the end-user funds in a trust account that is not used for any other purpose;
- hold the end-user funds in a prescribed account or in a prescribed manner and take any prescribed measures in relation to the funds, the account or the manner; or
- hold the end-user funds in an account that is not used for any other purpose and hold insurance or a guarantee in respect of the funds that is in an amount equal to or greater than the amount held in the account.
The above requirements will not apply to a PSP in respect of end-user funds it holds in a province if the PSP accepts deposits that are insured or guaranteed under provincial legislation, and those end-user funds are deposits that are guaranteed or insured under such legislation.
The 2017 Consultation Paper proposals were more prescriptive regarding end-user safeguarding requirements, but not all of these details are set out in the draft RPAA. These details may be set out in the regulations that will follow.
Operational Risk Management and Incident Response Framework Requirement
A PSP that performs retail payment activities will be required to, in accordance with the regulations, establish, implement and maintain a risk management and incident response framework that meets prescribed requirements for the purposes of identifying and mitigating operational risks and responding to incidents.
An “operational risk” is defined as a risk that may result in the reduction, deterioration or breakdown of retail payment activities that are performed by a PSP as a result of:
- a deficiency in the PSP’s information system or internal process;
- a human error;
- a management failure; or
- a disruption caused by an external event.
An “incident” is defined as an event or series of related events that is unplanned by a PSP and that results in or could reasonably be expected to result in the reduction, deterioration or breakdown of any retail payment activity that is performed by the PSP.
The BoC will be authorized to assess the PSP’s risk management and incident response framework or any portion of it and the BoC may provide the PSP with a list of corrective measures that the BoC considers appropriate. The PSP will be required to give all assistance that is reasonably required to enable the BoC or the designated person to carry out an assessment and will be required to provide any documents or information and access to any data that are specified by the BoC or the designated person.
If a PSP that performs retail payment activities becomes aware of an incident that has a material impact on an end user, a retail PSP, or a clearing house, the PSP will be required to, without delay, notify that individual or entity and the BoC of the incident. This obligation is consistent with the breach notification requirements already present in ss. 10.1(3) and 10.2 of Personal Information Protection and Electronic Documents Act, which require notifications as soon as feasible to affected individuals who reasonably face a “real risk of significant harm”, as well as to organizations or government institutions if those other organizations or institutions could reduce or mitigate the risk of harm from the incident.
A PSP that performs retail payment activities will be required to submit an annual report to the BoC including certain information to be prescribed respecting the PSP’s risk management and incident response framework, its accounts holding end user funds, and other matters.
A PSP will also be required to notify the BoC before the PSP makes a significant change in the way it performs a retail payment activity or before it performs a new retail payment activity. The notice will include information to be prescribed by regulations and must be given within a prescribed period. Under the RPAA, a change is significant if it could reasonably be expected to have a material impact on operational risks or the manner in which end-user funds are safeguarded.
Administration and Enforcement
The RPAA authorizes the BoC to enforce the provisions of the RPAA and verify a PSP’s compliance, in numerous ways, including by requesting information from a PSP or directing a special audit. The BoC may also enter into a compliance agreement with a PSP for the purpose of implementing any compliance measures.
Administrative Monetary Penalties
The BoC will be authorized to issue notices of violation for both PSPs and non-PSPs and issue administrative monetary penalties (“AMPs”). The Governor in Council may make regulations establishing a range of AMPs in respect of a violation up to a maximum of $10,000,000. The RPAA provides that the purpose of an AMP is to promote compliance with the RPAA and is not intended to be punitive. An individual or entity is entitled to appeal to the BoC Governor for a reduction in the penalty. As well, an individual or entity is entitled to appeal a decision by the BoC Governor to the Federal Court. Due diligence is a defence in a proceeding in relation to a violation.
An individual or entity is liable for a violation that is committed by any of its employees, third-party service providers, or agents or mandataries acting in the scope of their authority, whether or not the person who actually committed the violation is identified.
The RPAA also provides for a transitional period in which PSPs will be required to register. The period will be determined by the coming into force of provisions which, in turn, come into force on dates to be fixed by order of the Governor in Council.
For more information about our firm’s Fintech expertise, please see our Fintech group page.