The anticipated proposed draft Retail Payment Activities Regulations (the Regulations) under the Retail Payment Activities Act (the Act) were published on February 11, 2023. There is a 45-day consultation period (until March 23, 2023) for stakeholders to review and respond. We previously reported on the Act in our Cassels Comment, "New Regulation of Payment Service Providers in Canada."

The Bank of Canada (the Bank) will be supervising payment services providers (PSPs) under the Act. The Regulations include details on exemptions to the Act, prescribe key elements and details needed for PSPs to register with the Bank, comply with the Act, and for the Bank to promote compliance with the Act and Regulations. Further guidance is being prepared by the Bank to assist PSPs with compliance.

The following is an overview of the Regulations. Given the impact on businesses that provide retail payment services in Canada, stakeholders should review the Regulations.

APPLICATION TO RETAIL PAYMENT SERVICES PROVIDERS; EXEMPTIONS

The Act applies to PSPs in Canada in respect of all their payment activities and to foreign PSPs in respect of payment activities that such PSPs direct to and perform for end users in Canada.

PSPs are defined in the Act as an individual or entity that performs payment functions as a service or business activity that is not incidental to another service or business activity. The Act applies to the following payment functions related to an electronic funds transfer (EFT) from one end user to another using a PSP:

  • the provision or maintenance of a payment account;
  • the holding of end-user funds until withdrawn by the end user or transferred to another individual or entity;
  • the initiation of a payment at the request of an end user;
  • the authorization or transmission of a payment message; or
  • the clearing or settlement.

As described in our earlier Cassels Comment, the Act does not apply to certain entities (e.g., federally regulated financial institutions) and certain activities (e.g., payment functions between a PSP and an affiliated entity). The Regulations further exclude SWIFT, securities-related transactions, and retail payment activities performed as a service or business activity that is incidental to another service or business activity that is not a payment function. Further guidance is expected from the Bank on the Act's scope and exclusions.

REGISTRATION WITH THE BANK

Registry

The Bank will maintain a registry of registered PSPs including the PSP's registration status, business contact information and payment functions performed. The Bank has discretion to refuse an application or revoke a registration.

Registration Fee; Annual Assessment Fee

A one-time registration fee of $2,500, to be adjusted for inflation over time, is payable as part of a PSPs registration application.

The Act provides that the Bank must ascertain its total expenses incurred in connection with the administration of the Act. This amount is recovered through the registration fees and through an annual assessment fee payable by each registered PSP. The Regulations provide the methodology for the annual assessment fee, which fee would be comprised of two parts: (1) a base amount that equally distributes a portion of costs to all registered PSPs; and (2) a metric-driven amount where the remainder of costs is proportionally distributed to all registered PSPs based on their share of retail payment activity.

The metric-driven amount would consist of a PSP's value and volume of retail payment transactions, as well as end-user funds held, relative to those of all registered PSPs. The Regulations include a formula establishing how fees would be distributed among the base amount and metric-driven amount.

Change of Control

If there is a change of control (i.e. new entity or individual acquiring control of the PSP), then a new application for registration must be submitted to the Bank. The Regulations define control, including the manner of acquiring control, presumptions respecting control of entities and acquisition of control, and acquisitions by more than one transaction or event.

RISK MANAGEMENT AND INCIDENT RESPONSE

The Act requires PSPs to establish, implement and maintain a risk management and incident response framework. The Regulations require PSPs to preserve the (1) integrity; (2) confidentiality; and (3) availability of its retail payment activities and of the systems, and data or information involved in the provision of those activities. To do so, the Regulations require a PSP to:

  • identify its operational risks;
  • protect its retail payment activities from those risks;
  • detect incidents and control breakdowns; and
  • respond to and recover from incidents.

A PSP would also be required to, among other obligations, review, test, and, if applicable, audit its risk management framework, and manage its risks from third-party service providers, agents and mandataries.

SAFEGUARDING OF FUNDS

As summarized in our earlier Cassels Comment, the Act requires funds safeguarding by PSPs by requiring PSPs to (1) hold funds in trust, in a trust account or (2) holding funds in a segregated account and hold insurance or a guarantee in respect of the funds. The Regulations require that accounts used to hold end-user funds be held at prudentially regulated financial institutions (e.g. banks, provincial credit unions, foreign financial institutions).

If the insurance or guarantee option in the Act applies to the PSP in respect to safeguarding end-user funds, the Regulations require that the insurance or guarantee be from a prudentially regulated financial institution that is not an affiliate of the PSP, and that the proceeds from the insurance or guarantee must not form part of the PSP's general estate and must be payable for the benefit of end users as soon as feasible following an insolvency event. 30 days advance notice to the Bank would also be required if the insurance or guarantee is being cancelled.

PSPs would be required to have a written safeguarding-of-funds framework to ensure that end users have reliable access to their funds without delay, and that, in the event of PSP insolvency, the funds or proceeds of the insurance or guarantee are paid to end users without delay. Additionally, the PSP's safeguarding measures would have to be reviewed on an annual basis or, in other specified circumstances, be subject to biennial independent reviews. PSPs would also be required to evaluate when the end-user funds held by them were not sufficiently safeguarded in the prior year and assess measures that would need to be implemented to mitigate reoccurrence.

REPORTING

Under the Act, registered PSPs are required to report to the Bank by submission of various reports including annual reports, incident reports and significant change reports.

Annual Report

The Regulations require PSPs to include in the annual report to the Bank the following elements of their risk management framework:

  • objectives;
  • changes to their risk management framework;
  • a description of their operational risks; and
  • human and financial resources to implement and maintain their risk management framework.

In relation to funds safeguarding, the Regulations require PSPs to include in the annual report the following elements:

  • information on their account providers;
  • a description of the means they use to safeguard funds;
  • a description of their fund safeguarding framework; and
  • independent reviews conducted in the past year.

Lastly, the Regulations would require that the annual report include information on the PSP's ubiquity and interconnectedness, as demonstrated by (1) the value of end-user funds held; (2) the volume of EFTs in relation to which they performed a retail payment activity; (3) the value of EFTs in relation to which they performed a retail payment activity; (4) the number of end users; and (5) the number of PSPs that services are provided to.

Significant Change Report

Under the Act, PSPs are required to notify the Bank before they make a significant change in the way they perform a retail payment activity or before they perform a new retail payment activity. The Regulations establish that a PSP must notify the Bank of a significant change at least five days prior to making the change.

Incident Report

The Act requires that PSPs report incidents that have a "material impact" on an end user, other PSPs, or designated financial market infrastructures to the Bank and to impacted individuals and entities.

The Regulations would require that the notice to the Bank include a description of the incident, its impact on individuals or entities listed in the Act, and actions taken by the PSP to respond to the incident. The notice to impacted end users, other PSPs and specified financial market infrastructures would need to include a description of the incident, its impact on individuals or entities listed in the Act, and corrective measures that can be taken by those impacted individuals or entities.

Information Requests

The Act provides authority to the Bank to request information from a PSP pertaining to its compliance with the regime, and for a PSP to comply with the request within a prescribed time period. The Regulations set out the standard time period of 15 days to respond, unless the information being requested relates to events which are ongoing and could have a significant adverse impact on individuals or entities, such as end users or other PSPs.

Notices of Change in Information

Under the Act, PSPs are required to notify the Bank of changes to certain registration-related information. The Regulations set out when changes to various types of information set out in the Act must be submitted to the Bank.

RECORD KEEPING

The Regulations require a PSP to maintain sufficient records to demonstrate compliance with the Act and the Regulations – records must be retained for five years unless otherwise specified in any required undertaking or imposed condition by order of the Minister of Finance in relation to national security.

ADMINISTRATION AND ENFORCEMENT

The Regulations designate violations under the Act and the Regulations. Only designated violations would be subject to a notice of violation (NOV) and an accompanying administrative monetary penalty (AMP).

The Regulations include a range of penalty amounts for serious violations (up to $1,000,000 per violation) or very serious violations (up to $10,000,000 per violation) in increasing severity, according to the significance of the violation.

If a NOV identifies two or more serious violations that arise from the contravention of the same provision of the Act or its regulations, that series of serious violations would be reclassified as a single very serious violation.

The Regulations establish the following criteria that the Bank will consider when determining an AMP:

  • The harm done, or that could have been done, by the violation;
  • The history of the individual or entity who committed the violation with respect to any prior violation within the five-year period immediately before the violation; and
  • The degree of intention or negligence on the part of the individual or entity who committed the violation.

For violations of the Act's requirements relating to the provision of information, such as annual reporting, if the violation has continued for no more than 30 days, the amount of the penalty in respect of the violation is $500 for each day that it has continued. If the violation has continued for more than 30 days, the range of penalties in respect of the violation is from $15,000 to $1,000,000.

As set out above, the Bank will provide further guidance on the elements of the Act and Regulations once the Regulations are finalized after the consultation period and come into force.

The Regulations would come into force when relevant provisions of the Act come into force:

  • Provisions of the Regulations related to registration, national security and compliance would come into force when the Act provision requiring PSPs to submit a registration application comes into force.
  • Provisions of the Regulations addressing operational risk management, end-user funds safeguarding, reporting, record keeping and prescribed supervisory information would come into force when the Bank must register PSPs and notify PSPs of their registration.
  • Provisions of the Regulations related to assessment fees would come into force when the relevant provisions of the Act come into force.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.