Retail Payments Activities Regulations released and open for comment

By Kevin Landry and Colton Smith

The Retail Payment Activities Regulations have been released in the Canada Gazette Part 1 for comment. Interested persons may make representations concerning the proposed regulations for a period of 45 days.

The regulations provide further detail about the governance structure being imposed by the Retail Payments Activities Act, which we have previously written about here and here.

The Retail Payments Activities Act was enacted by the federal government in June 2021 with the objective of regulating retail payment providers in Canada.

What Will the Retail Payments Activities Regulations Do?

Certain Parties Excluded

The proposed Retail Payment Activities Regulations provide further specifics on parties who are excluded from the application of the Retail Payments Activities Act.

Regarding securities transactions, the Retail Payments Activities Act states that electronic funds transfers are excluded from the Act if they are made “for the purpose of giving effect to a prescribed transaction in relation to securities”. The Retail Payment Activities Regulations elaborate on this exemption, defining these prescribed transactions as those that are performed by an individual or entity under Canadian securities legislation. These transactions are excluded as they are not for the purpose of retail payments and are already captured by provincial securities regulators.

The Retail Payment Activities Regulations also exclude the Society for Worldwide Interbank Financial Telecommunication global messaging network (SWIFT) from the application of the Retail Payments Activities Act, as it is already subject to supervision by major central banks (including the Bank of Canada).

Finally, the Retail Payment Activities Regulations will further exclude retail payment activities that are performed as a service or business activity which is incidental to other services or business activities that are not a payment function.

Safeguarding of End User Funds

The proposed Retail Payment Activities Regulations also provides clarity on the steps payment service providers are to take to safeguard end-user funds. These regulations are intended to protect the funds of consumers and businesses from financial loss in the event that a payment service provider becomes insolvent. To achieve this objective, the Retail Payment Activities Regulations requires that payment service providers must either:

• hold funds in trust in a trust account; or
• hold funds in a segregated account while also holding insurance or a guarantee with respect to the funds.

The Retail Payment Activities Regulations would also require that accounts that are used to hold end-user funds must be held at regulated financial institutions, such as banks, provincial credit unions, or foreign financial institutions. Additionally, if payment service providers choose to insure or guarantee end-user funds, the insurance or guarantee must also be from a regulated financial institution that is not an affiliate of the payment service provider. Furthermore, any insurance or guarantee proceeds are required to be payable to end user as soon as possible following insolvency, and must not form a part of the general estate of the payment service provider.

Under the Retail Payment Activities Regulations, payment service providers will also have to implement a “Fund Safeguarding Framework” that will ensure that funds make their way to end users without delay upon bankruptcy. This written framework must describe the “systems, policies, processes, procedures, controls and other means” to meet the objective of safe-guarding end user funds. This will require payment service providers to make use of liquidity arrangements to hold end-user funds in secure and liquid assets, as well as keeping accurate records of end users as well as the amount of funds currently held.

Safeguarding measures taken by payment service providers will be reviewed annually, and biennially by independent parties. Payment service providers will also be required to evaluate if end-user funds were not properly safeguarded in the year prior, and to implement steps to prevent these circumstances from occurring.

Registration

Under the Retail Payment Activities Regulations, applicants will be required to pay a one-time registration fee of $2,500 (to be adjusted for inflation). This does not include the separate annual assessment fee to be paid by payment service providers. The Retail Payment Activities Regulations also provides further details on the information that is required to be included within an application under the Retail Payment Activities Act.

The Bank of Canada will maintain a registry of all registered payment service providers, and may refuse or revoke applications if a payment service provider is behind on assessment fees, or if the Retail Payment Activities Act no longer applies to the payment service provider. Under the Retail Payment Activities Regulations, the registry will contain information regarding the registration status of the payment service provider, their business contact information, and the payment functions they perform.

Additionally, new applications will be required to be filed if an individual or entity wishes to acquire control of a payment service provider. Control is defined within the Retail Payment Activities Regulations and would include acquiring direct or indirectly more than one-third of the votes that may be cast to elect the directors of the payment service provider or acquiring control of an entity that controls the payment service provider.

Reporting

Under the Retail Payments Activities Act, payment service providers must establish, implement and maintain an operational risk management and incident response framework and implement certain measures to safeguard end-user funds, if applicable.

The Bank of Canada is tasked with monitoring and assessing registered payment service providers performance of the above noted obligations. To do so, payment service providers will be required to submit three kinds of reports:

• Annual reports will be required to contain a risk management framework that includes a description of operational risks and the human and financial resources used to implement the framework. Annual reports will also be required to contain a description of their fund safeguarding framework, which must include a description of the methods used to safeguard funds, a description of the Fund Safeguarding Framework, information on account providers, and independent reviews that were conducted in the year prior. Finally, the annual report will be required to include information on the total value of end-user funds held, the volume and value of electronic fund transfers related to the performance of a retail payment activity, the number of end users, and the number of payment service providers that services are provided to.
• Significant change reports require notices to be filed at least 5 days prior to making a significant change. Additionally, the contents of the report will be required to include information regarding the reason for the change, and the payment service providers evaluation of the changes effect on operational risks or fund safeguarding, as well as any new policies introduced due to the change.
• Incident reports, which contain a description of incidents that have a “Material Impact” on end users, payment service providers, and certain financial market infrastructure. These reports will outline the incidents and its impact on individuals/entities affected, as well as the actions taken by the payment service provider to respond to the incident.

The Bank of Canada will use these reports, along with responses to requests submitted to payment service providers, to assess a payment service providers compliance. Assessment may include desk reviews, on-site visits, or a special audit.

Finally, the Retail Payment Activities Regulations would provide for a standard period of 15 days to respond to information requests from the Bank of Canada, unless they are related to ongoing events that may have a significant adverse impact, in which case the response time would be required within 24 hours.

Penalties and Enforcement

The proposed Retail Payment Activities Regulations establish a wide-ranging set of penalties for serious to very serious violations of the Retail Payment Activities Act. These include penalties of up to $1,000,000 per violation for “serious violations” and up to $10,000,000 per violation for “very serious” violations. Enforcement will be up to the Bank of Canada. Further information on enforcement, as well as the Bank of Canada’s supervisory role under the Retail Payment Activities Regulations can be found here.

This update is intended for general information only. If you have questions about the above, please contact the author(s) to discuss your needs for specific legal advice relating to the particular circumstances of your situation.

Click here to subscribe to Stewart McKelvey Thought Leadership