Proposed Retail Payment Activities Regulations Issued
The Department of Finance Canada has published proposed Retail Payment Activities Regulations (the “Regulations”) to support the Retail Payment Activities Act (the “RPAA”) in implementing a retail payment supervisory regime to govern payment service providers (“PSPs”) in Canada. A PSP is defined as an individual or entity who performs payment functions as a service or business activity that is not incidental to another service or business activity. For more details on the RPAA, please refer to our prior legal update.
During the policy development process, the Bank of Canada and the Department of Finance Canada underwent extensive consultations with payment industry stakeholders. These consultations involved the publication of several important discussion guides by the Bank of Canada in connection with its engagements with its Retail Payments Advisory Committee (a summary of certain of the discussion guides is available here).
The Regulations aim to address gaps in the supervision of unregulated PSPs in the financial sector. The approach taken is intended to align with the established supervisory regimes for PSPs in comparable jurisdictions such as the European Union, the United Kingdom, and Australia.
The Regulations prescribe proposed standards for operational risk management, requirements for safeguarding end-user funds, registration requirements, reporting requirements, penalties for non-compliance and national security safeguards.
The Regulations are open for consultation for 45 days, until March 28, 2023.
Scope of Application
The RPAA generally applies to PSPs that perform any of the following five payment functions:
- the provision or maintenance of a payment account;
- the holding of end-user funds until withdrawn by the end user or transferred to another individual or entity;
- the initiation of a payment at the request of an end user;
- the authorization or transmission of a payment message; or
- the provision of clearing or settlement services.
The RPAA applies to payment activities for PSPs with a place of business in Canada or those that provide services to end users in Canada.
Exemptions from Scope
The RPAA excludes certain entities and activities from its oversight, namely prudentially regulated financial institutions such as banks and credit unions as well as payment functions that involve closed-loop gift cards.
The Regulations also exempt the following activities:
- Securities transactions: The Regulations provide that payment functions that are performed for the purpose of giving effect to transactions in relation to securities and that are performed by an individual or entity that is regulated, or exempted from regulation, under Canadian securities legislation are exempt from the RPAA.
- SWIFT transactions: The Regulations exclude the Society for Worldwide Interbank Financial Telecommunication (SWIFT) global messaging network from the RPAA.
- Incidental Retail Payment Activities: The Regulations provide that retail payment activities that are performed as a service or business activity that is “incidental” to another service or business activity, which are not payment functions, are also excluded from the RPAA.
Operational Risk Management and Incident Response
Under the RPAA, PSPs are required to establish, implement and maintain a risk management framework to identify and mitigate operational risks and respond to incidents (the “Risk Management Framework”). The new Regulations outlined several requirements related to the Risk Management Framework that a PSP must comply with.
The Regulations require a PSP to establish three objectives related to its Risk Management Framework: (1) integrity; (2) confidentiality; and (3) availability of its retail payment activities and systems and data or information involved in the provision of those activities.
Accordingly, the Regulations require each PSP to take the following steps to achieve these objectives:
- identify its operational risks;
- protect its retail payment activities from those risks;
- detect incidents and control breakdowns;
- respond to and recover from incidents;
- review, test and – for some PSPs – audit its Risk Management Framework;
- establish roles and responsibilities for the management of operational risk and incidents;
- have access to sufficient human and financial resources to establish, implement and maintain its Risk Management Framework; and
- manage its risks from third-party service providers, agents and mandataries.
Under the Regulations, a PSP is responsible for ensuring that its Risk Management Framework is proportionate to the potential impact on end users and other PSPs if its retail payment activities were to decrease, deteriorate or break down.
The Regulations require that PSPs demonstrate their compliance with sound operational risk management through various reporting requirements to the Bank of Canada, as discussed below.
End-User Funds Safeguarding Requirements
Under the RPAA, PSPs must either hold funds in a trust account or a segregated account, with insurance or a guarantee to safeguard end-user funds against financial losses due to insolvency, to provide users with reliable and timely access to their funds.
Furthering those objectives, the Regulations have incorporated the following requirements and measures that guarantee end-user funds or related proceeds are accessible to end users:
- Accounts taking custody of end-user funds must be held at prudentially regulated financial institutions such as banks, provincial credit unions, or foreign financial institutions.
- The insurance or guarantee from a prudentially regulated financial institution cannot be an affiliate of the PSP if the end-user funds are safeguarded through the insurance or guarantee.
- The proceeds from the insurance or guarantee cannot form part of the PSP's general estate and must be payable for the benefit of end-users as soon as feasible following an insolvency event.
- The Bank of Canada must be notified 30 days in advance of the cancellation of the insurance or guarantee.
- PSPs must have a written fund safeguarding framework to ensure that end-users have reliable access to their funds without delay. This document must describe the PSP's systems, policies, processes, procedures, controls and other means to meet the objectives noted above.
- PSPs must keep a ledger with the names of their end-users and the amount of funds held, use liquidity arrangements and hold end-user funds in secure and liquid assets.
- PSPs will be required to have annual reviews and biennial independent reviews of their safeguarding measures to evaluate when end-user funds held by them were not sufficiently safeguarded in the prior year and assess measures that would need to be implemented to mitigate reoccurrence.
PSPs will be required to notify the Bank of Canada of changes to registration-related information. Furthermore, the Regulations establish that a PSP must respond to an information request from the Bank of Canada, as outlined in the RPAA, within 15 days. However, if the requested information is related to ongoing events that could have a “significant adverse impact” on end-users, the response time may be reduced to 24 hours.
The Regulations also set out in detail various types of information PSPs are required to disclose in their annual reports, incident reports and significant change reports to the Bank of Canada.
The Regulations require PSPs to provide prescribed information on their Risk Management Framework and fund safeguarding in their annual report to the Bank of Canada. Specifically, PSPs must report their objectives, changes made to their framework, operational risks, and resources used to implement and maintain their Risk Management Framework. PSPs must also provide information on their account providers, a description of their fund safeguarding framework, the means they use to safeguard funds and independent reviews conducted in the past year. Additionally, PSPs must include information on their ubiquity and interconnectedness based on the value of end-user funds held, volume and value of electronic fund transfers, number of end-users, and the number of PSPs providing services.
Significant Change Reports
PSPs will be required to notify the Bank of Canada at least five days before making a significant change that could materially impact operational risks or the safeguarding of end-user funds. The notification should include information on the reason for the change, its effects and any new policies introduced.
PSPs must report incidents that have a material impact on an end user, other PSPs, or designated financial market infrastructures to the Bank of Canada and other impacted individuals and entities. The notice to the Bank of Canada must include a description of the incident, its impact, and actions taken by the PSP in response to the incident. The notice to impacted end users, other PSPs and specified financial market infrastructures should include a description of the incident, its impact and corrective measures that can be taken by impacted persons.
The Regulations prescribe the information that will be required to be disclosed by the PSP in connection with its application, including information related to organization and structure, contact information, agents, volume and value of its retail payment activities and end-user funds, means of safeguarding end-user funds, third-party service providers, and national security.
Applicants will be required to pay a registration fee of $2500, which will be adjusted for inflation over time. Additionally, an annual assessment fee will be required. The assessment fee will include a base amount for all registered PSPs and a metric-driven amount based on each PSPs share of retail payment activity, value and volume of retail payment transactions. The fee amount will be communicated to each PSP, and include the methodology used to calculate it. The Bank of Canada may refuse to register or revoke a PSP’s registration if the PSP fails to pay its assessment fees.
The Regulations also specify the circumstances under which a change of control requires PSPs to file a new application with the Bank of Canada under the RPAA. The Regulations clarify that a new application must be made when a PSP is acquired by a state-owned enterprise, or when data storage/processing by the PSP or its third-party service provider is in a country outside of Canada and was not identified in the PSP’s initial application for registration.
The Regulations will require a public registry to be maintained by the Bank of Canada which will list each PSP’s registration status, payment functions and contact information.
Record-Keeping and Retention Requirements
The Regulations require PSPs to maintain records demonstrating compliance with the RPAA and the Regulations for five years unless specified otherwise.
National Security Safeguards
The proposed national security review process prescribe how PSPs are to be registered and how reviews are to be conducted, including timelines, information requirements and triggers for re-registration. The Regulations prescribe a 60-day review period for initial registration and 180 days for national security reviews, with the possibility of extension based on the discretion of the Minister. The Regulations also outline a 30-day window for PSPs to request a review of the Minister’s decision after receiving a refusal to register. For national security purposes, PSPs would be required to notify the Bank of Canada of changes to certain prescribed registration information laid out in the Regulations.
Prescribed Supervisory Information
Currently, the RPAA allows for a regulation-making authority to prevent PSPs from using certain supervisory information as evidence in civil proceedings to protect sensitive supervisory information. The Regulations define “prescribed supervisory information” (“PSI”) to include any type of direction, notice, assessment, testing, audit, investigation, plan or report prepared by the Bank of Canada as part of its supervision of a PSP, as well as any reports, letters, recommendations or plans made by the Bank of Canada as a result of a supervisory review of a PSP.
Administration and Enforcement
Under the Regulations, only designated violations would be subject to a notice of violation (“NOV”) accompanied by a potential administrative monetary penalty (“AMP”). The Regulations establish several criteria for the Bank of Canada to consider when determining an AMP, including: (1) the extent of the harm caused or could have been caused by the violation; (2) the individual or entity's history of prior violations within the preceding five-year period; and (3) the degree of intention or negligence on the part of the individual or entity committing the violation.
The Regulations also establish penalty ranges for “Serious” or “Very Serious” violations classified under the RPAA, ranging from $1,000,000 per each Serious violation, up to $10,000,000 per each Very Serious violation. However, violating the RPAA's requirement to provide information (such as annual reporting) will not take severity into account. The Regulations prescribe that for violations lasting up to 30 days, the penalty is $500 per day, and the penalty ranges from $15,000 to $1,000,000 for violations lasting more than 30 days.
Additional Bank of Canada Guidance
As noted in the Regulatory Impact Analysis Statement accompanying the Regulations, the Bank of Canada will provide further guidance on the following items:
- the RPAA’s scope and exclusions;
- the requirements for the safeguarding of funds;
- the definition of “significant adverse impact” (see above under “Reporting Requirements”); and
- AMP calculation methodology, which will be published on the Bank of Canada website.
Coming into Force
The Regulations will take effect when the corresponding provisions of the RPAA come into effect as determined by the Governor in Council. The Regulations related to registration, national security, and compliance will come into effect when the RPAA requires PSPs to submit a registration application. The Regulations related to operational risk management, end-user funds safeguarding, reporting, record-keeping and supervisory information will come into effect when the Bank of Canada registers PSPs. The provisions for assessment fees will take effect when the corresponding provisions of the RPAA take effect.
The RPAA and Regulations set out the framework for an extensive new regulatory regime applicable to PSPs. To ensure forthcoming compliance with these new regulations, it is important that PSPs conduct a thorough review of the requirements set forth and prepare accordingly, and provide any relevant comments during the specified comment period, which concludes March 28, 2023.
For more information about our firm’s Fintech expertise, please see our Fintech group page.
payments Department of Finance