In Budget 2021: A Recovery Plan for Jobs, Growth and Resilience, as expected, the federal government announced its commitment to work with the provinces to table draft legislation for the proposed retail payments oversight framework (RPOF).
On April 30, 2021, the long-awaited draft, Retail Payments Activities Act (Canada) (the RPAA), was published by the Government of Canada in Bill C-30. The exact details of the new regime will come to light as draft regulations are published for review. Nevertheless, the RPAA provides a broad view of what the new regulatory regime will look like and what it will mean for payment service providers (PSPs) offering services to Canadians, once the legislation comes into force.
Evolution of the RPOF: A brief history
In its 2015 consultation paper entitled “Balancing Oversight and Innovation in the Ways We Pay”, the Government of Canada sought the views of Canadians on the merits of a functional approach to retail payment oversight.
Four years ago, in 2017, Canada’s federal Department of Finance (the Department) acknowledged that its traditional practice of regulating the players as opposed to the playing field is no longer appropriate in a rapidly changing retail payments space with evolving business models, activities and products. Thus, a new Retail Payments Oversight Framework (RPOF) was first formally proposed.
In March 2019, the Government of Canada’s Budget 2019: Investing in the Middle Class included a plan to take the first steps toward establishing the RPOF by proposing to introduce legislation for its implementation.
It was also announced in March 2019 that the Bank of Canada (the Bank) would oversee PSPs’ compliance with operational and financial requirements of the proposed RPOF and maintain the public registry of regulated PSPs.
With the publication of the RPAA, we can now see the full scale of the federal framework proposed to be used to regulate and supervise PSPs and their retail payment activities in Canada.
Canada’s first regulatory regime for retail payment service providers: the RPAA
A. What types of payments are included?
According to the RPAA, the new regime will apply to any retail PSP (located inside or outside of Canada)1 when performing one or more of the following payment functions in the context of an electronic fund transfer ordered by an end user (a person or entity that uses a payment service as a payer or payee):
- Provision and maintenance of a payment account: Providing and maintaining an account that, in relation to an electronic funds transfer, is held on behalf of one or more end users.
- Payment initiation: Initiating an electronic funds transfer at the request of an end user.
- Authorization and transmission: Authorizing an electronic funds transfer, or the transmission, reception or facilitation of an instruction in relation to an electronic funds transfer.
- Holding of funds: Holding funds on behalf of an end user until they are withdrawn by the end user or transferred to another individual or entity.
- Clearing and settlement: Providing clearing or settlement services.
Accordingly, the new regime would cover a wide variety of day-to-day transactions that are conducted through various payment methods, including credit card transactions, online payments, pay deposits, debit transactions, pre-authorized payments and peer-to-peer money transfers.
B. What types of payments are excluded?
Notwithstanding the broad definitions of payment functions that are subject to the RPAA, certain types of transactions that pose limited risk to end-users will be excluded from the new regulatory framework, including all-cash transactions, transactions involving gift cards or limited-use cards, transactions related to securities asset servicing (e.g., dividends distribution, redemption or sale) and derivatives, transactions at ATMs for the purpose of cash withdrawals, transactions between affiliated entities and the clearing and settlement of transactions made through systems designated under the Payment Clearing and Settlement Act (e.g., the large value transfer system and the automated clearing and settlement system).
In addition, the application of the new regulatory framework would be limited to transactions that are carried out solely in fiat currencies (i.e., regulated currencies such as the Canadian dollar) and would not extend to virtual currencies, as the use of virtual currencies in retail payments is limited. However, the Department has stated that it will continue to monitor the use of virtual currencies in retail payments and will propose adjustments to the regulatory framework to include them as warranted.
C. What is required of PSPs?
End-user fund safeguarding
Where PSPs perform a retail payment activity that results in a PSP holding end-user funds until they are withdrawn by the end user or transferred to another individual or entity, the PSP must hold these end-user funds in a trust account that meets certain clearly defined requirements. The full details of these requirements, including measures the PSP must take in relation to the funds and the account, will be known once associated regulations of the RPAA are published.
Operational and financial measures
To mitigate against a set of operational risks described in the consultation paper from 2015, the RPAA will require PSPs performing any of the five payment functions set forth above to comply with a set of principles related to establishing security and operational objectives and policies and business continuity planning that would be based on the Principles for Financial Market Infrastructures, which are incorporated in the Bank’s risk management standards in assessing operational risks in core national payment clearing and settlement systems, and adapted to address operational risks inherent to retail payments. This means that PSPs will be required to establish, implement and maintain a risk management and incident response framework that meets prescribed requirements.
Dispute resolution
Consistent with previous statements made by the Department, the RPAA does not impose obligations for PSPs to have complaint-handling procedures in place. Therefore, PSPs should ensure its activities accord with provincial consumer protection legislation in the provinces it offers services. As mentioned above, once associated regulations to the RPAA are published for review, PSPs should have more clarity on the full breadth of their obligations under the RPOF.
Liability
The Department has noted that there are currently liability rules related to unauthorized transactions and errors for certain payment instruments and systems (e.g., Payments Canada system rules, provisions in the Cost of Borrowing (Banks) Regulations for lost or stolen credit cards and the Canadian Code of Practice for Consumer Debit Card Services). However, it points out that these liability rules are not applicable to all retail payment services and it identifies that other jurisdictions (notably the European Union and Australia) have specified when an end-user is liable for a loss related to an unauthorized transaction or error. Accordingly, it is possible that rules around liability for losses of end-user funds due to unauthorized transactions or errors (subject to the end user meetings its obligations), may be addressed in the regulations once they are available for review.
Registration
Once the RPAA comes into force, existing PSPs will be required to apply for registration with the Bank, or in the case of a new PSP, before it performs any retail payment activities. In order to register, PSPs would be required to provide in their application detailed information in accordance to the form and manner outlined in the RPAA. In addition, the PSP applicant will need to provide information about its affiliated entities, directors and managers or owners.
Furthermore, as expected, the registration requirement for PSPs under the RPAA has cross-over with Canada’s main federal anti-money laundering legislation, to promote compliance with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). The PCMLTFA already requires that money service businesses (MSBs), which face significant money laundering and terrorist financing risk, implement a series of measures to help deter and detect those activities. Once in force, under the RPAA, the Bank can deny or revoke registration of a PSP if it is also an MSB, and if it has been penalized by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) for a “very serious” violation in the five-year period preceding its application, or in the case of a money remitter, if it is not registered with FINTRAC. However, it is important to note that not all entities requiring registration as a PSP under the RPAA would be required to register as an MSB with FINTRAC, under the PCMLTFA.
Public registry of regulated PSPs
The Bank will maintain a public registry of the registered PSPs, including publishing a list of individuals or entities it has refused to register and the PSPs that have had their registrations revoked, along with the reasons for such refusal or revocation.
Timing of implementation
At this time, we believe that the new regime is at least two years away from implementation. At which time, we expect that there will be a phase-in period to allow for existing market participants to come into compliance. What is still unclear is which comes first—do participants have to register and then prove compliance, or do entities need to demonstrate compliance first, then they will be registered? Based on the recent introduction of the foreign money service business regime under the PCMLTFA, we believe that PSPs will likely have to register first and then build out compliance policies and procedures prior to full compliance being required.
If you would like to know more about the RPAA or have any questions regarding the impact this coming legislation might have on your business activities, please do not hesitate to reach out to the authors of this article or any member of BLG’s Financial Services Regulatory Group.
1 A PSP that is located outside of Canada is subject to the RPAA in respect of any retail payment activity (as applicable) that is performed for an end user in Canada.
