Canada: One Step Closer To A Regulatory Regime For Payment Service Providers - Draft Retail Payment Activities Regulations Released
Financial Services Bulletin

On February 11, 2023, the Department of Finance published the long awaited proposed Retail Payment Activities Regulations (the "Regulations") under the Retail Payment Activities Act ("RPAA"). Together with the RPAA, the Regulations will set out the new regulatory regime applicable to payment service providers ("PSPs") carrying out retail payments activities. This regime will be governed by the Bank of Canada (the "BoC").

For more information about the BoC's governance framework, please refer to our publication titled "Bank of Canada Releases Retail Payments Supervisory Framework". For more information about the RPAA, please refer to our publication titled "Federal Government Releases Draft Legislation to Regulate Retail Payments".

Some key aspects of the Regulations are set out below. The Regulations are subject to a 45-day consultation period, during which time feedback can be provided using the commenting feature on the Canada Gazette website.

Registration & Fees

The RPAA generally requires PSPs, which include individuals or entities that perform one or more of the "payment functions" described in the RPAA as a service or business activity that is not incidental to another service or business activity, to register with the BoC.

In addition to the exclusions set out in the RPAA itself, the Regulations exclude from the application of the RPAA certain additional entities and activities, including:

• the Society for Worldwide Interbank Financial Telecommunication global messaging network (SWIFT);
• transactions in relation to securities if performed by an individual or entity that is regulated (or exempted from regulation) under Canadian securities legislation; and
• in line with the definition of PSPs, retail payment activities performed as a service or business activity that is incidental to another service or business activity that is not a payment function. Some businesses that carry out retail payment activities as part of their business will want to clarify the scope of this exclusion.

The Regulations also establish a one-time registration fee of $2,500, indexed to inflation, and an annual assessment fee comprised of a fixed base amount applicable to all registered PSPs, and a variable amount that is proportionally distributed among all registered PSPs based on their share of retail payment activity.

Risk Management and Incident Response

The Regulations set out the detailed requirements to be included in a PSP's risk management and incident response framework (the "RMIRF"). These include, for example, that the RMIRF (i) set out clearly defined and measurable reliability targets for the ability to perform the retail payment activities, (ii) identify the human and financial resources that are required to implement and maintain the RMIRF, (iii) allocate specific roles and responsibilities in respect of the implementation and maintenance of the RMIRF, (iv) identify, and describe the potential causes of, all of the PSP's operational risks, and (v) if the PSP receives services from a third-party service provider, set out the means by which it will conduct annual assessments of such third-party service providers, agents and mandataries, keep records of such annual assessments and clearly allocate responsibilities of the PSP and the third-party, including importantly in relation to ownership, integrity, confidentiality and availability of data and information. PSPs should refer to the Regulations for a complete description of the requirements for their respective RMIRF, including a comprehensive plan for responding to and recovering from incidents with all prescribed content.

The Regulations also require that the RMIRF be approved by a senior officer and reviewed:

• at least once a year;
• before a PSP makes any significant change to its operations or its policies, procedures, processes, controls or other means of managing operational risk; or
• following an incident that causes the reduction, deterioration or breakdown of any retail payment activity of the PSP and has a material effect on the end user or another PSP.

Of note, the Regulations provide that all aspects of the RMIRF, including targets, systems, policies, procedures, processes and controls, need to be proportionate to the impact that a reduction, deterioration or breakdown of the PSP's retail payment activities could have on end users and other PSPs, having regard to factors including the PSP's ubiquity and connectedness.

Safeguarding of Funds

The Regulations provide for additional requirements to supplement the provisions regarding the protection of the funds of the end users provided under the RPAA itself. In particular:

• a PSP that is either holding end-user funds in trust or in a segregated account with insurance or a guarantee in respect of such funds is required to hold such funds with a prudentially regulated financial institution;
• the insurance or guarantee in respect of funds held in a segregated account must be provided by a prudentially regulated financial institution that is not affiliated with the PSP; and
• the proceeds of the insurance or guarantee in respect of funds held in a segregated account must not form part of the PSP's estate and must survive the PSP's insolvency.

In addition, PSPs are required to establish, implement and maintain a safeguarding-of-funds framework (the "SFF"). The SFF must ensure that end users have reliable access to their funds without delay, and that, in the event of the PSP's insolvency, the end-users funds, or proceeds of the insurance or guarantee, are paid to end users as soon as feasible. To achieve these objectives, the SFF must describe systems, policies, processes, procedures, controls and other means, including the PSP's use of liquidity arrangements and its holding of end-user funds in the form of secure and liquid assets. PSPs must also include in their SFF a requirement to keep a ledger with the name and contact information of each end user and the amount of funds belonging to each of those end users that is held at the end of each day. The SFF must also identify legal risks and operational risks that could hinder the meeting of the objectives and the means of mitigating those risks.

Similar to the RMIRF, the SFF will need to be approved by a senior officer and reviewed annually and upon the occurrence of specified changes.

Reporting

PSPs are subject to a number of reporting obligations to the BoC pursuant to the RPAA and the Regulations. These include, for example:

• the requirement to submit an annual report, which must include, among other things, objectives, information about the PSP's RMIRF (including changes to the RMIRF and the human and financial resources to implement and maintain the RMIRF), a description of operational risks, information about the number of end users, insurance and guarantees, the safeguarding of end-user funds, and the number and value of electronic funds transfers;
• the requirement to provide five business days' advance notice of a significant change in the way a PSP performs a retail payment activity or if it plans to perform a new retail payment activity; and
• the requirement to provide other information which may be requested by the BoC within specified time periods.

National Security Review

The Regulations provide additional details on the national security review process, including the timelines for review by the Minister of Finance. In particular, the Regulations prescribe a 60-day period for the Minister to review applications for national security concerns as part of the registration process for PSPs, and a 180-day period for national security reviews if a formal review is required.

Enforcement

The Regulations set out the designated violations that can be subject to a notice of violation and an accompanying administrative monetary penalty ("AMP").

The designated violations are classified as either serious violations or very serious violations (however two or more serious violations that arise from the contravention of the same provision of the RPAA or the Regulations will be reclassified as a single very serious violation). Serious violations can result in an AMP of up to $1,000,000, and very serious violations can result in an AMP of up to $10,000,000. Violations related to the provision of information are not classified as serious or very serious, however the Regulations provide that the amount of the penalty in respect of such a violation is $500 for each day that it has continued, if the violation has continued for no more than 30 days, and from $15,000 to $1,0000,000 if the violation has continued for more than 30 days.

Furthermore, as discussed in our previous publication titled "Bank of Canada Releases Retail Payments Supervisory Framework," the BoC can enter into formal compliance agreements with PSPs to rectify non-compliance, which can reduce the associated AMP.

Looking Ahead

Although the Regulations are not yet into force and are subject to change, they fill in many of the gaps in the new regulatory regime regarding retail payment activities, and provide helpful information about the many compliance requirements that will be applicable to PSPs. The BoC is expected to publish further guidance on these requirements, which will hopefully eliminate some of the remaining questions regarding the regime.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.