Background
On February 11, 2023, the proposed Retail Payment Activities Regulations were published in the Canada Gazette. This is to support the Retail Payment Activities Act (RPAA) which was released under Bill C-30 and received royal assent in June 2021. The Retail Payment Activities Regulations are required to bring the RPAA into force.
A Payment Service Provider (PSP) is defined as an individual or entity who performs payment functions as a service or business activity that is not incidental to another service or business activity. Certain entities, such as financial institutions, are exempt as they are regulated under other federal obligations (i.e., Office of the Superintendent of Financial Institutions’ Operational Risk and Enterprise Risk management guidelines.)
The current lack of requirements and supervision increases risks, such as the risk of financial loss in instances of business insolvency, and threats to the security of sensitive personal information. The Regulations aim to address gaps in the supervision of unregulated PSPs and are meant to align with other jurisdictions which already have regimes for PSPs.
The principles that guide the Regulations are:
- Necessity — supervision should address risks that lead to significant harm to end users and avoid duplication of existing rules;
- Proportionality — level of supervision should be commensurate with the level of risk posed by the payment activity;
- Consistency — similar risks should be subject to a similar level of supervision; and
- Effectiveness — requirements should be clear, accessible and easy to integrate within different payment services.
PSPs will be required to apply and register with The Bank of Canada (no date for this yet). There is a proposed registration fee of CAD 2500. Additionally, an annual assessment fee will be required.
In the following sections, we have summarized what we feel are the most important requirements to note.
Operational Risk Management
PSPs will have to implement and maintain an Operational Risk Framework consisting of the following:
- Identify its operational risks (i.e., business continuity, cybersecurity, fraud, data management, information technology, human resources, process and product design and implementation, change management, physical security and third parties);
- Protect its retail payment activities from those risks;
- Detect incidents and control breakdowns;
- Respond to and recover from incidents;
- Review, test and audit its Risk Management Framework;
- Establish roles and responsibilities for the management of operational risk;
- Have access to sufficient human and financial resources; and
- Manage risks from third-party service providers, agents and mandataries.
PSP must ensure that the above are proportional to the impact that a reduction, deterioration, or breakdown of its payment activities could have on end users.
Incident Response
Under the proposed Regulations, PSPs must develop a comprehensive plan for investigating, responding to and recovering from incidents that have a material impact on an end user. An incident is defined as an event or series of related events that is unplanned and that results in or could reasonably be expected to result in the reduction, deterioration or breakdown of any payment activity performed by a PSP.
The incident would be reported to the Bank of Canada and would include the following at a minimum:
- A description of the incident;
- The impact on individuals or entities listed in the Act; and
- Actions taken by the PSP to respond to the incident.
There would also need to be a notice to impacted end users and other impacted parties.
PSPs can only resume operations after an incident once they have verified the integrity and confidentiality of all systems, data and information have been restored, and that it is able to perform retail payment activities without reduction, deterioration or breakdown.
Audit, Testing and Training
Under the proposed Regulations, PSP’s will have to complete various types of testing related to the Framework and have training in place.
All staff who have a role in establishing, implementing or maintaining the PSP’s Risk Management Framework must be provided with the information and training that are necessary to carry out that role.
Framework Review
On at least an annual basis, PSP’s must evaluate its compliance with regulatory requirements. Such a review is also required before any significant changes are made to the PSP’s operations or controls after an incident (defined in the section above). The findings of the review must be reported to a senior officer.
Testing
PSPs must also establish and implement a testing methodology to determine the effectiveness of its Risk Management Framework. This must be tested at least once every three years and findings must also be provided to a senior officer.
Independent Review
In addition to the above, a PSP must have their Framework independently reviewed at least every three years. The review must be documented and describe the scope, methodology use and findings. Findings of the review must be reported to a senior officer.
Biennial Independent Review
PSPs must have requirements related to safeguarding of funds tested at least once every two years by a sufficiently skilled individual who has had no role in the establishment, implementation, or maintenance of the safeguarding requirements under a PSPs Framework. We discuss what safeguards requirements are below.
Safeguards
PSPs will be required to hold customer funds in a trust account or a segregated account, with insurance or a guarantee to safeguard end-user funds against financial losses due to insolvency.
For consumer protection, the Regulations contain requirements to protect the end user from loss. These requirements include:
- End-user funds must be held at prudentially regulated financial institutions;
- Insurance or guarantee cannot be from an affiliate of the PSP;
- The proceeds from the insurance or guarantee cannot form part of the PSP’s estate;
- The Bank of Canada must be notified at least 30 days in advance of the cancellation of the insurance or guarantee;
- PSPs must implement and maintain a written fund safeguarding framework to ensure that end-users have reliable access to their funds without delay; and
- PSPs must keep a ledger with the names of their end-users and the amount of funds held.
This will require detailed flow of funds documentation.
Reporting
Under the proposed Regulations , PSPs will have to complete various types of reports.
Annual Report
PSPs will need to provide an annual report to the Bank of Canada, no later than March 31 of each year. Some of the information that must be contained in the report is:
- A description of any changes made to the payment service provider’s risk management and incident response framework;
- A description of the human and financial resources for implementing and maintaining the risk management and incident response framework;
- A description of the PSP’s operational risks in respect of the reporting year, their potential causes and the manner in which they were identified;
- A description of the systems, policies, procedures, processes, controls, including any approvals required;
- A description of training;
- A description of all reviews, and independent reviews; and
- A description of any incidents that the payment service provider experienced during the reporting year.
Also, the report will need to contain certain volume and value statistics related to the services a PSP is providing.
Significant Change Report
PSPs will be required to notify the Bank of Canada, at least five days in advance, before making a significant change that could materially impact operational risks or the safeguarding of end user funds.
The information that must be contained in the report is:
- The name and contact information of the individual who may be contacted regarding the significant change;
- A description of the change or new activity to be performed;
- The reason for the change or new activity;
- The date on which the change is to be made;
- The PSP’s assessment of the effect that the change or new activity will have on its operational risks; and
- A copy of all documentation in relation to the PSP’s Risk Management Framework, that has been amended to reflect the change or new activity, including any necessary approvals.
If a PSP has senior officers, the change or new activity must be approved and receive formal sign off by senior management before submission of a report. This should be taken into account from a planning perspective, as it can take some time to obtain such internal approvals.
Incident Report
PSPs must report incidents that have a material impact on an end user, other PSPs, or designated financial market infrastructures, to the Bank of Canada and other impacted individuals and entities.
The information that must be contained in the report is:
- A description of the incident;
- What impact does the incident have on individuals and entities; and
- What actions have been taken by the PSP to respond and remediate.
The Regulations do not make it clear what timeframe is required for reporting such incidents, however they do state the standard time to respond to a request from the Bank of Canada is 15 days. Failure to report an incident can result in an administrative monetary penalty classified as very serious.
What Does This Mean?
From the highlights, it’s evident that these Regulations will create a substantial burden for PSPs, especially ones that are smaller or just starting. A significant amount of time, resources and cost are going to be needed to manage the compliance requirements that PSPs will need to follow. If a PSP does not comply or there is partial compliance, they may be subject to administrative monetary penalties that range from CAD 1,000,000 per each serious violation, up to CAD 10,000,000 per each very serious violation. The draft Regulations did not make clear what a dispute process would like.
It should be noted that most PSPs captured under the RPAA are also considered money services businesses (MSBs), and as such must also comply with anti-money laundering (AML) compliance obligations. Check out our blog related to that here.
What Next?
Due to these changes not being final, we wait. There is no set date for when we can expect final legislation or when they will come into force, but it is a good time to start budgeting and align resources.
Also, as there is a 45-day comment period for the proposed Regulations which closes on March 28, 2023, PSPs should review the Regulations carefully and provide feedback. Comments can be submitted online via the commenting feature after each section of the proposed Regulations, via email, or via regular mail to Nicolas Marion, Senior Director, Payments Policy, Department of Finance, 90 Elgin Street, Ottawa, Ontario K1A 0G5.
We’re Here To Help
If you have questions related to the proposed changes, or need help starting to plan, you can get in touch using the online form on our website, by emailing us at info@outliercanada.com, or by calling us toll-free at 1-844-919-1623.