Summary of the new Retail Payment Activities Regulations

On February 10, 2023, draft regulations (Regulations) to the Retail Payment Activities Act (Act) were released for a 45-day comment period closing on March 28, 2023. The Regulations provide further details and clarifications around the new retail payment supervisory regime for payment service providers (PSP) in Canada, including standards for (i) operational risk management; (ii) requirements to safeguard end user funds; (iii) PSP registration requirements with the Bank of Canada (BOC); (iv) reporting requirements; and (v) penalties for violations. PSPs that will be caught by the Act, subject to exemptions set out in the Act and Regulations, are any payment service providers that (i) maintain or provide a payment account; (ii) hold end-user funds until withdrawn by the end user or transferred to another individual or entity; (iii) initiate payments at the request of an end user; (iv) authorize or transmit payment messages; or (v) provide clearing or settlement services. Given the potential compliance costs associated with the requirements set out in the Regulations for both domestic and foreign PSPs doing business in Canada, companies that provide payment functions regulated by the Act should review and consider providing feedback on the Regulations. 

Registration

In order to register under the Act, a PSP would need to pay a one-time registration fee of $2,500 (to be adjusted for inflation over time). A new application would be required if any individual or entity is seeking to acquire “control” of a registered PSP. The Regulations clarify that an individual or entity acquires control of (i) a corporation once they, alone or in combination with another entity, hold one-third or more of votes that may be cast to elect directors of the corporation, or if they acquire control of an entity that controls a corporation; (ii) a limited partnership once they become a general partner of that limited partnership; and (iii) any entity other than a corporation or a limited partnership, once they, alone or in combination with another entity, hold an interest that entitles them to receive one-third or more of the entity’s profits (or assets on dissolution), or acquire control of an entity that controls the registered PSP. Registered PSPs will also be required to pay an annual assessment fee consisting of (i) a base amount that equally distributes a portion of BOC’s supervisory costs to all registered PSPs; and (ii) a metric-driven amount based on the registered PSPs’ share of retail payment activity regulated under the Act.

Risk management and incident response

The Regulations clarify the requirements of a risk management and incident response framework (Risk Management Framework) that registered PSPs will be required to implement. The Risk Management Framework must be in writing and include the following objectives: (i) ensuring that the PSP is able to perform retail payment activities without reduction, deterioration or breakdown, including by ensuring the availability of the PSP’s systems, data and information involved in the performance of the retail payment activities; and (ii) preserving the integrity and confidentiality of the PSP’s activities, systems, data and information. The Risk Management Framework must set out clearly defined and measurable reliability targets to meet the aforementioned objectives. The PSP should (i) identify all assets and business processes that are associated with performance of retail payment activities and classify them according to their sensitivity and criticality to performance of those activities; and (ii) recognize and describe potential causes of all operational risks (such as fraud, cybersecurity risks, etc.) and describe the systems, policies, procedures and controls in place to mitigate these risks and detect any incidents that could indicate the emergence of such risks.

The Risk Management Framework would also need to specify in detail the actions to be undertaken by the PSP, including, (i) reviewing, testing and auditing its Risk Management Framework either: (a) once a year; (b) before making any significant changes to its operations or its policies and procedures; or (c) upon becoming aware of an incident that could have a material impact on an end user, a payment service provider or a “clearing house” (as defined in the Payment Clearing and Settlement Act); (ii) allocating roles and responsibilities for the management and mitigation of operational risk and incidents; (iii) ensuring that there is access to sufficient human and financial resources to establish, implement and maintain its Risk Management Framework; (iv) having a clear response plan to deal with incidents (including those involving or detected by an agent or mandatary or third-party service provider), which should detail the process for investigating incidents, policies and procedures for reporting incidents (discussed below), resuming operations following an incident and keeping a record of incidents; and (v) managing its risks from third-party service providers, agents and mandataries.

Safeguarding of funds

To minimize financial losses resulting from the business insolvency or inadequate risk-management practices of PSPs, the Regulations require PSPs to hold end-user funds in accounts held with prudentially regulated financial institutions such as banks, provincial credit unions, trust and loan companies and foreign financial institutions that are subject to a regulatory framework comparable to regulations that apply to eligible financial institutions in Canada. If a PSP holds insurance or a guarantee to meet the fund safeguard requirements, such guarantee or insurance must come from a prudentially regulated financial institution that is not an affiliate of the PSP, and insurance and guarantee proceeds cannot form part of the PSP’s estate in bankruptcy. Rather, such proceeds are payable for the benefit of end-users as soon as feasible following an insolvency event.

To further protect end-user funds, the Regulations set out additional information with respect to the content to be included in the PSPs’ written safeguarding-of-funds framework (Fund Safeguarding Framework), which focuses on establishing systems, policies, procedures, processes and controls to ensure that end users have reliable access to their funds in the event of insolvency. The Fund Safeguarding Framework should include (i) details of liquidity arrangements and holding of end-user funds in secure and liquid assets; (ii) requirements for keeping a ledger with the names of the PSP’s end users and the amount of funds held; and (iii) legal risks and operational risks that threaten the end users' access to funds in the event of a PSP’s insolvency. PSPs are required to review the Fund Safeguarding Framework on an annual basis to identify any gaps or vulnerabilities. 

Reporting requirements

Registered PSPs are required to regularly report to the BOC through annual reports, incident reports and significant change reports. In addition to the preparation and content requirements for annual reports regarding a PSP’s Risk Management Framework and Fund Safeguarding Framework discussed above, the Regulations further require that the annual report include information on the (i) value of end-user funds held; (ii) volume of electronic fund transfers with respect to the retail payment activity performed by the PSP; (iii) value of electronic fund transfers in relation to which they performed a retail payment activity; (iv) number of end users; and (v) number of PSPs that services are provided to. 

PSPs that do not have a place of business in Canada (foreign PSPs) are still required to provide information establishing the foreign PSP’s “ubiquity and interconnectedness” in Canada, including the maximum value of end users’ funds that the foreign PSP held at any time for end users in Canada, the average value of such end-user funds held for each reporting month and the number of electronic transfers in relation to which the foreign PSP preformed retail payment activities for end users in Canada.

The Regulations specify that a PSP must inform the BOC of a significant change in the way the PSP performs a retail payment activity or before they perform a retail payment activity at least five days prior to making the change by highlighting (i) the reason for the change; (ii) the PSP’s assessment of the effect of the change on operational risks or fund safeguarding practices; and (iii) any policies introduced as a result of the change. In addition, PSPs would be required to report any incidents that have a “material impact” on an end user to the BOC. PSPs are given 15 days to respond to the BOC’s request for information in relation to the incident that has occurred and its compliance with the Act more generally, and where information is requested by the BOC following an event which could have a significant adverse impact on individuals or entities (for example, a widespread network outage), a PSP is given 24 hours to respond to the BOC’s request for information. 

Administration and enforcement

The Regulations provide for an administrative monetary penalty ranging from $1,000,000 in the case of a serious violation, and up to $10,000,000 per violation considered to be very serious. The BOC will consider the following criteria when determining the severity of a violation and the appropriate penalty: (i) the harm done, or that could have been done, by the violation; (ii) any prior violation within the five-year period immediately before the violation; and (iii) the degree of intention or negligence on the part of the PSP. Violations relating to the provision of information, such as the reporting requirements discussed above, are not considered to be serious violations. As such, the maximum penalty for these violations is fixed at $500 per day if the violation continues for less than 30 days, and $15,000 to $1,000,000 for violations that continue for longer than 30 days.