With the publication for consultation on Feb. 10, 2023 of the proposed Retail Payment Activities Regulations (Regulations), Canada is now much closer to regulating the activities of payments businesses and fintech companies as payment service providers (PSPs).
What you need to know
- We previously discussed the long-awaited publication of the Retail Payment Activities Act (Canada) (the Act) when it was first introduced in the spring of 2021. The equally long-awaited Regulations under the Act have now been published for consultation so that payments businesses and fintech companies can begin to prepare for implementation of the new regulatory regime.
- The new retail payments oversight framework will adopt a principles-based and operational approach to regulating domestic and foreign PSPs operating in Canada.
- The draft Regulations outline specific compliance and operational requirements for (1) creating a risk management and incident response framework, (2) safeguarding end-user funds, (3) reporting, (4) registration and (5) record keeping.
- Industry stakeholders can submit comments to the federal government on the draft Regulations until March 28, 2023, under the drop-down menu of the relevant section in the Regulations.
PSPs under the supervision of the Bank of Canada
The long-awaited draft Regulations have finally been published for review and comment so that payments businesses and fintech companies can identify the potential impact of the Regulations on their activities and begin to prepare for implementation.
Although the Act became law on June 29, 2021, compliance obligations under it were not yet in force pending publication and finalization of the necessary regulations contemplated in the Act.
With the publication of the Regulations, Canada is now much closer to bringing PSPs under the supervision of the Bank of Canada (the Bank). The draft text of the Regulations provides additional insights on what the Bank expects of the PSPs it will supervise once the new framework is in force.
The government’s consultation period for the proposed Regulations runs until March 28, 2023.
Who will be subject to the retail payments supervision framework?
Due to its broad scope, it is estimated that there could be approximately 2,500 PSPs impacted by the new framework.
As discussed in more detail in our previous bulletin, the framework will apply to any retail PSP located inside or outside of Canada 1 when performing one or more of the following payment functions in the context of an electronic fund transfer (EFT) ordered by an end-user:
- Providing and maintaining a payment account
- Initiating payment(s)
- Authorizing and transmitting EFTs, or facilitating instructions related to an EFT
- Holding funds on behalf of end users
- Providing clearing or settlement services
An end-user is defined as a person or entity that uses a payment service as a payer or payee.
Who will be excluded from the retail payments supervision framework?
Despite the broad definition of payment functions that are expected to be subject to the framework (listed above), the draft Regulations provide further clarification on who may be exempted from the framework.
To prevent regulatory and supervisory duplication, the Act empowers the governor of the Bank to exempt certain entities or classes of entities from certain provisions of the framework if they are already subject to substantially similar provisions in another Canadian federal or provincial law.
Specifically, the Act excludes from the framework certain types of transactions that pose limited risk to end-users.
The draft Regulations further exclude transactions that are already regulated (or already exempted from regulation) under Canadian securities laws and Society for Worldwide Interbank Financial Telecommunications (SWIFT), as well as payment activities that are considered “incidental” to another service or business. Based on a public consultation report made by the Interim Retail Payments Advisory Committee, the Bank will consider, among other things, the payment flows and the involvement of third parties in the payment activities when defining “incidental”.
Proposed regulatory obligations for PSPs
We previously summarized the general requirements that will apply to PSPs. The Regulations expand upon these requirements by providing a more detailed understanding of PSPs’ obligations, particularly as it relates to the following:
- Risk management framework and incident response. The Regulations aim to ensure that PSPs establish, implement, and maintain a risk management and incident response framework in order to identify and mitigate operational risks, such as cyber attacks and respond to incidents. PSPs will be required to establish objectives related to the preservation of the integrity, confidentiality and availability of their retail payment activities and systems. PSPs will also be required to identify operational risks and mitigate and protect against them, set out measures to detect incidents, respond to and recover from incidents.
A PSP’s risk framework will also need to account for third-party service providers, which will likely become a consideration in the course of PSPs’ commercial arrangements with vendors and partners for payments activities.
- Safeguarding end-user funds. PSPs that hold end-user funds must establish, implement and maintain a written safeguarding-of-funds framework that conforms with draft Regulations.
To ensure end-users have reliable and timely access to their funds, the draft Regulations require that accounts used to hold end-user funds be maintained in one of two ways. Firstly, they can be held in trust at prudentially regulated financial institutions (such as banks and credit unions). Alternately, PSPs can choose instead to utilize a insurance or guarantee option to safeguard end-user funds, which insurance or guarantee must be from a prudentially regulated financial institution that is not an affiliate of the PSP.
- Reporting. There are extensive reporting and notification requirements under the proposed Regulations.
For example, PSPs will be required to submit an annual report to the Bank containing extensive prescribed details no later than March 31 of each year. In addition, notice must be provided regarding any significant change or new activity in the way a PSP performs a retail payment activity. Associated record keeping obligations apply.
In addition, PSPs will notably be required under certain circumstances to notify the Bank of incidents, defined under the Act as “an event or series of related events that is unplanned by a payment service provider and that results in or could reasonably be expected to result in the reduction, deterioration or breakdown of any retail payment activity that is performed by the payment service provider”. Individuals or entities materially affected by an incident will also have to be directly contacted.
- Registration and public registry. Once a PSP is registered under the Framework, a new application for registration will be required if an individual or entity seeks to acquire control, directly or indirectly, of the PSP. A new application for registration is also required if a PSP plans on making “prescribed changes”, which include an acquisition by a state-owned enterprise, or if the storage or processing of certain information by the PSP or a third-party service provider outside of Canada.
As expected, the Bank will maintain a public registry of PSPs listing information such as its address and the activities they are registered to perform under the Framework.
The proposed Regulations also specify the circumstances under which the Bank will have the power to impose administrative monetary penalties, which could reach up to $10 million in the case of a serious violation of the framework. For instance, serious violations will include failing to establish, implement, and maintain a risk management and incident response framework in compliance with the Regulations, as well as failing to hold end-user funds in a trust account that is not used for any other purpose and that is held according to the Regulations.
At this time, the Bank will consider comments received in the 45-day consultation period, after which final Regulations will be issued. Once the Framework is fully operational, we expect that there will be a phase-in period to allow for existing market participants to come into full compliance of the new rules.
Given the notable similarities between the framework and Canada’s federal anti-money laundering regime, entities that are existing money services businesses should ensure they are aware of regulatory matters that might impact their payments activities under the coming framework.
If you would like to know more about the Act, proposed Regulations or have any questions regarding the impact the coming framework might have on your business activities, please reach out to any of the authors listed below, or to a member of BLG’s Financial Services Regulatory Group.
1 A PSP that is located outside of Canada is subject to the Act in respect of any retail payment activity (as applicable) that is performed for an end user in Canada.